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1. INTRODUCTION 

This report is the third Semi-Annual Status Report on the 
research project "Models and Techniques for Evaluating the 
Effectiveness of Aircraft Computing Systems" being conducted 
tor the NASA Langley Research Center under NASA Grant 1306. 

The subject grant was initiated 1 May 1976 for a one year per- 
iod and extended 1 May 1977 for a second one year period. This 
report concerns work accomplished during the first half of the 
second year, that is, the period from 1 May 1977 to 31 October 
1977, hereafter referred to as the reporting period. 

The purpose of this research project is to develop models, 
measures and techniques for evaluating the effectiveness of 
aircraft computing systems. By "effectiveness" in this context 
we mean the extent to which the user, i.e., a commercial air 
carrier, may expect to benefit from the computational tasks 
accomplished by a computing system in the environment of an 
advanced commercial aircraft. Thus the concept of effectiveness 
involves aspects of system performance, reliability and worth 
(value, benefit) which must be appropriately integrated in the 
process of evaluating system effectiveness. More specifically, 
the primary objectives of this project are: 

1) The developfaent of system models that can provide 
a basis for the formulation and evaluation of 
aircraft computer system effectiveness, 

2) The formulation of quantitative measures of system 
effectiveness, and 

3) The development of analytic and simulation tech- 
niques for evaluating the effectiveness of a 
proposed or existing aircraft computer. 
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Work accomplished during the first year [1], [2] was con- 
cerned primarily with objectives 1) and 2). Midway through the 
first year, a decision was made to decouple the performance and 
reliability aspects of effectiveness from the worth aspect* and 
to focus the effort on performance and reliability issues. 

As argued when this research was originally proposed, and as 
further substantiated by work accomplished to date, the issues 
of performance and reliability must be dealt with simultaneously 
in the process of evaluating system effectiveness. The term 
"pe,rfprmability" was introduced to refer to this unification of 
performance and reliability, and performability was identified 
with effectiveness in the above stated objectives. 

During the current reporting period, work has been per- 
formed in connection with objective 3) as well as objectives 

1) and 2). More specifically, this work has concerned: 

1) Further formal development of the general modeling 
framework that serves as the basis for performa- 
bility evaluation, including more precise defini- 
tions of ’’base model”' and "system performance" 
which permit a general definition of "performa- 
bility" relative to any discrete-valued performance 
variable , 

2) Formal justification of the performability concept 
and identification of conditions under which 
performance and reliability can be treated 
independently, 


3) Further development of the general concept of 
"capability" and verification of the fact that 
capability functions, in their ability to relate 
state behavior to system performance, are indeed 
more general than "structure functions" or equiv- 
alently, the representation of structure functions 
by "fault-trees", 


4^ Foririulation of the capability function in terms 
of a model hierarchy and its associated "inter- 
level translations", 

5) Further investigation of the "functional dependence' 
inherent in a capability function, including proofs 
of fundamental properties, 

6) The use of time "phasing" and state "luHiping" 
to simplify the evaluation of performability , 
in particular, the establishment of conditions 
under which different phases 'can employ different 
lumpings (refered to informally as "Michigan 
lumping") , 

7) More detailed development of analytical methods 

for determining the trajectory set of an 

accomplishment level a, including methods of 
representing trajectory sets at various levels 
of the model hierarchy and methods of computing 
the trajectory set Yi+i(a) at level i+1, given 
the trajectory set Y^(a) at level i, and 

8) Application of the above theory and methodology 
to specific examples, including a comprehensive 
example illustrating the modeling and subsequent 
performability evaluation of a computer in the 
environment of a portal- to-portal air transport 
mission. 

We believe that the following report attests to a substan- 
tial amount of progress in each of the above areas. Moreover, 
we feel that the progress to date represents the greater part 
of the total effort proposed for the second year of the proje^ 
[3j. 

Section 2 of the report describes the manpower effort pro- 
piosed for the current year, the personnel involved in conducting 
the investigation, and their levels of effort during the report- 
ing period. Section 3, the body of the report, describes the 
technical status of the research performed during the reporting 
period. 
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3. TECHNICAL STATUS 

The following is a comprehensive description of the research 
performed during the reporting period. The report is divided 
into five subsections under the headings; 

5.1 System Models, 

3.2 Performability Evaluation, 

3.3 Capability and Functional Dependence, 

3.4 Computation of Trajectory Set Probabilities, and 

3.5 Hierarchical Modeling of an Air Transport Mission. 

Relative to the eight topics listed in the introduction, 
Subsection 3.1 reports on further work concerning the formaliza- 
tion of our general modeling framework (topic 1). Subsection 3.2 
gives precise definitions of "performability" and '’capability" 
and, in terms of these definitions, describes results which 
formally justify a unified performance-reliability approach to 

i . ' 

I 

system evaluation (topics 2 and 3). Subsection 3.3 reports on 
our work concerning hierarchical formulation of the capability 
function (topic 4) and on the general concept of functional de- 
pendence (topic 5)* Subsection 3.4 reports on research concerning 
model simplification for the purpose of computing trajectory set 
probabilities, in particular, the use of time "phasing" and state 
"lumping" (topic 6). Finally, Section 3.5 discusses the problem 
of trajectory set determination and develops a detailed example 
of the modeling and evaluation of an air transport mission (topics 
7 and 8) . 

The numbering of definitions, theorems, and supporting results 
begins anew in each of these major subsections. Reference numbers 
in the margin carry the prefix of the major subsection, e.g., the 
first item referenced in subsection 3.1 is numbered 3.1.1. 
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3.1, System Models 

During the reporting period, v/e have developed a prob- 
ability-theoretic basis for the modeling framework discussed 
in the previous Semi-Annual Status Reports [1,2]. This formal 
representation permits us to rigorously restate various 
intuitive concepts and assumptions associated with models of 
the total system. It also provides us with a more precise 
foundation for the investigation of model simplification 
techniques such as time "phasing” and state "lumping." 

3.1.1. The Model Hierarchy 

As noted in the previous reports (see [2], Section 3.1.1, 
pp. 7-8), the total system may be viewed at several levels. 

f 

At a lower level,' there is a detailed view of how various com- 
ponents of the computer's hardware and software structure 
behave throughout the utilization period. At this level there 
is also detailed view of the behavior of the computer's 
"environment," where by this term we mean both man-made compon- 
ents (user input, perip'iral subsystems, etc.) and natural 
components (radiation, weather, etc.) which can influence the 
computer's effectiveness. A second view of the total system 
is the user's view of how the system behaves during utilization, 
that is, what the system accomplishes for the user during the 
utilization period. A third, even higher level view, is the 
computing system’s "worth" (as measured, say, in dollars) when 
operated in its use environment. 

To formalize these views, we postulate the existence of 
a probability space (R, f ,P) that underlies the total system. 



-7- 


where is the (sample) description space , E is a set of 
(measurable) events and P; E ->■ [0,1] is the probability measure 
(see [4], for example). This probability space represents all 
that needs to be known about the total system in. order to 
describe the probabilistic nature of its behavior at the 
various levels described above. It thus provides a hypo- 
thetical basis for defining higher level models. In general, 
however, it will neither be possible nor desirable to completely 
specify , E and P . 

In the discussion that follows, let S denote the total 
system, v/here S is comprised of a computing system C and its 
environment E. At the most detailed level, the behavior of S 
is formally viewed as a stochastic process 

Xg = {X^l t e T) 

where 

T = a set of real numbers (observation times) called 
the utilization period 

and, for all t e T, X.^ is a random variable 

X.^ : SI Q 

defined on the underlying description space and taking values 
in the state space Q of the total system. Depending on the 
application, the utilization period T may be discrete 
(countable) or continuous and, in cases where one is interested 
in long-run behavior, it may be unbounded (e . g . , T = = [0,°°)). 

The state space Q embodies the state sets of both the computer 
and its environment, i.e. , 

Q = Qc % 
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where Qq and Qg can, in turn, be decomposed to represent the 
local state sets o£ computer and environmental subsystems. For 
our purposes, it suffices to assume that Q is countable (finite 
or countably infinite) and, hence, for all t e T and q e Q, 

"X^ = q” has a probability (i.e., {ai|X^(w) = q} e E). The 
random process Xg is referred to as the base model of S. An 
instance of the base model’s behavior is a state trajectory 

u^:T Q (wen) (3.1.1) 

where 

u^(t) = X^(m). (t E T) 

Thus, corresponding to an underlying outcome wefi, u^ describes 
how the state of the total system changes as a function of 
time throughout the utilization period T. Accordingly, the 
"description space" for the base model is the set 

U = (u I 03 £ } 

0) 

which is referred to as the (state) trajectory space of S. 

It is worth noting at this point that, for even moderately 
complex systems, the base model may be so large that practical 
methods of formulation or even simulation are precluded. In 
such cases, one must seek simplifications of the base model 
which nevertheless remain detailed enough to support the user's 
view of total system behavior. Accordingly, the question of 
base model simplification will be considered after the complete 
modeling framework has been described. 

In terms of the underlying probability space (f2, E,P) the 
user's view of the system is formalized as follows. We assume 
that the user is interested in distinguishing a number of 
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different levels of accomplishment when judging hov/ well the 
system has performed throughout the utilization period. (One 
such level may be total system failure.) The user’s "description 
space" is thus identified with an accomplishment set A whose 
elements are referred to alternatively as accomplishment levels 
or (user-visible) performance levels . A may be finite, 
countably infinite, or uncountable (in the last case, A is 
assumed to be a subset of real numbers). Thus, for example, 
the accomplishment set associated with a nondegradable system 
is 


where 


A ^ ^0 ’ ^1 ^ 


^ a^ = "system success" 
a^ = "system failure," 

In their modeling of the PRIME system, Borgerson and Freitas 
viewed the accomplishment set as the set 


A it'} 

where = "k crashes during the utilization period T." If 
the user is primarily concerned with system "throughput" a 
continuous accomplishment set might be appropriate, i.e., 

A=R^ where an element a e A is the "average throughput over 
the utilization period T." 

In terms of the accomplishment set, system performance is 
formally viewed as a random variable 


Yg : n ->■ A 


where Yq(w) is the accomplishment level corresponding to 
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outcome w in the underlying description space. Similarly, 
assuming that the economic gain (ot loss) derived from using 
the system is represented by a real number r (interpreted, say, 
as r dollars), system worth is a random variable defined as 

->• R (the set of all 
real numbers) 

where Wg(o)) is the worth associated with outcome w. The 
terminology and notation defined above is summarized below. 


Model 

Description Space 

Base model Xg 
System performance Yg 
System worth Wg 

Trajectory space U 
Accomplishment set A 
The real numbers R 
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3 . 2 Performability Evaluation 

As discussed in the first Semi-Annual Status Report ([!]; 
Section 3. 3.4, 2) and, subsequently, in the proposal for the 
second year ([3]; p. 14), our research effort has focused on 
the problem of formulating and evaluating the probabilities of 
accomplishing various types and qualities of missions. This 
problem was referred to informally as "performability evaluation" 
to distinguish it from the more general problem of "effectiveness 
evaluation." During the reporting period, we have established 
a more precise meaning for the concept of performability so as 
to further justify our claims that i) performability is a com- 
ponent of effectiveness, and ii) performability evaluation cannot 
in general be accomplished via independent evaluations of per- 
formance and reliability. 

3.2.1. Performability 

In terms of the general modeling framework discussed in 
Section 3.1 , a natural measure that quantifies both system per- 
formance and reliability (ability to perform) is the probability 
function of the performance variable Yg. Accordingly, we have 
identified the concept of performability with this measure, that is 

Definition 1 : If S is a total system and A is the accomplish- 

ment set associated with system performance Yg, then the 
performability of S is the probability function Pgi A [0,1] * 

where Pg(a) = the probability that S performs at level a, that 
is, Pg(a) = P({o)l Yg(o))=a}) . 
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The above definition presumes that the performance variable 
Yg is discrete (i,e., there are countably many accomplishment 
levels) although a similar approach^ using probability density 
functions, can be applied to continuous performance variables. 

We will assume that Yg is discrete throughout the following dis- 
cussion. 

Given the performabili ty of S and assuming the existence 
of a worth measure (see [1], pp. 36-37), system effectiveness 
can be expressed as the sum 


Eff(S) = 2 w(a)Pc,(a) 

acA ^ 


(3.2.1) 


where w is a worth measure 


such that, for all m e 


w ; A 


Wg (w) = w(Yg(o3) ) . 

(If a e A, w(a) is interpreted as the "worth of performance 
level a.") Equation 3.2.1 generalizes a relationship noted in 
our original proposal and shows that perf ormability is an impor- 
tant component of effectiveness. 

To further justify this concept, we note that traditional 
evaluations of computer x^erformance and computer reliability 
are concerned with special types of performability. Performance 
evaluation is concerned with evaluating Pg under the assumption" 
that the computer part of S is fixed (i.e., its structure does 
not change as the consequence of internal faults) . Reliability 

evaluation is concerned with evaluating Po(B) = Pc (a) where 

^ . asB ^ 

B is a designated subset of accomplishment levels associated 
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with system "success." In these terms, a perf ormabili ty 
evaluation can alternatively be regarded as | A) reliability 
evaluations, one for each singleton success set B = {a} and, 
if A is finite, the evaluation may actually be carried out in 
this manner. As this process is generally more complex than a 
typical reliability evaluation procedure (in particular, it 
involves distinguishing all the performance levels as well as 
determining their probabilities), we reserve the term 
"reliability evaluation" to mean the evaluation of "probability 
of success" for some specified success criterion B. Thus 
perf ormability reduces to reliability only when S is nondegradable , 
i.e., |A I = 2. Due to the special nature of both performance 
and reliability evaluations, we find that a. direct combination 
of the two is generally unable to support an evaluation of 
system effectiveness. A case where independent evaluations 
do suffice (and hence the more general concept of perf ormabil ity 
is not really needed) is the following. 

Let S be a system with accomplishment set A and suppose 
that successful performance of S can be associated with the 
performability of some fault-free reference system S (i.e., 
the computer part of S is fault-free). More precisely, 
this says that for some designated subset B of the accomplish- 
ment set A the conditional performability of S given B , i.e., 
the function Pg g'A [0,1] where 

P(Y -a and Y.eB) * 

" - p(;y^g.B3 (3.2./) 

* As is standard practice, our notation here omits explicit 
reference to the underlying space , e . g., "Yg = a and YgcB'V 

means the set {w|Yg(w)=a and Yg(m)eB}. 
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is equal to the performability of S, i.e., 

Pg(a) = Pg g(a}, for all aeA. (3.2.3) 

(Note that Pg ^(a) “ 0 if a^B and thus tlie accomplishment 
set of S need only include B.) Assuming further that accom- 
plishment levels outside of B are of no worth to the user. 


1 . e . , 


w(a) = 0 if a^B 


then, by equation 3.2.1 , 

Eff(S) = ^ w(a)p (a) = 

acA aeB 


w(a)pg(a) 


But aeB implies pg(a) = P(Yg = a and Yg e B) . Hence, by the 

definition of conditional performability (equation 3.2.2), 

Eff(S) = w(a)Pg g(a)Pg(B) 

? aeB ’ 

where Pc(B) = P(YceB). By assumption 3.2.-3“we conclude that 
^ S o 

Ef^(S) = 21 w(a)pK(a)pg (B) =| ^(a)pg(a) |pg(B) 

aeB ^ ^ \ aeB ^ ^ 

or equivalently, 


Eff(S) = Eff(S)Pg(B) 


Accordingly, a performance-worth (effectiveness) evaluation 
of the fault- free reference system S, along with a reliability 
evaluation of S, suffice to determine the effectiveness of S. 
Alternatively, equation 3.2.4 can be regarded as expressing 
the effectiveness of S relative to two levels of accomplishment, 
B (success) and A-B (failure), and a worth function w where 
w(B) = Eff(S) and w(A-B) = 0. Then, by equation 3.2.1, 

Eff(S) = w(B)Pg(B) + w(A-B)pg(A-B) 

= w(B)pg(B) 

= Eff(S)pg(B). 
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The secret here, of course, is to find a system S that 
satisfies assumption 3.2.3 . S is easily identified only 
when S = CC,E)* is such that faults of C which are tolerated (i.e., 
YgCB) cause no change in the performance of S. In this case, 

S = (C,E) can serve as the reference system where C is the 
fault-free version of C. In particular, this is the case for 
fault- tolerant computer architectures v/hich employ standby 
sparing [5], N modular redundancy, or combinations thereof. 

On the other hand, if tolerated faults can alter the performance 
of S, the discovery of ^ requires an evaluation of conditional 
perf ormability (see 3.2.3) which is tantamount to evaluating 
the performability of S, 

3.2.2 Capability Functions 

A critical first step in the evaluation of performability 
is to establish a relationship between the base model Xg 
and the user-oriented performance model Yg (see Section 3.1.1). To 
accomplish this, we assume that the base model is refined 
enough to distinguish the levels of accomplishment perceived 
by the user , that is , for all a),m' e fi, 

Yg(ai) 7 ^ Yg(w') implies » (3.2.5) 

where u and u , are the state trajectories associated with 
outcomes to and w ' (see equation 3.1.1). This implies that each- 
trajectory u e U is related to a unique accomplishment level 
aeA. Accordingly, the concept of capability (introduced during 
the previous reporting period; see [2], [3]) can be more pre- 
cisely defined as follows: 

* C is the computer part of S; E is the environment. 
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Definition 2: If S is a system with trajectory space U and 

accomplishment set A then the capability function of S is 
the function Yg^U A where Yg(lJ) is the level of accomplishment 
resulting from state trajectory u, that is, 

Yr,(u) = a if, for some w e u = u and Y^Cw) = a. 

O Cl) O 

By condition 3,2,5 it follows that Yg is well-defined and, 
when there is no chance for ambiguity, Yg will be written simply 

as Y‘ 

Given the capability function of S, the performability 
Pg can be expressed in terms of the base model Xg. Let \/ denote 
the collection of measurable trajectory sets, i.e., Vel/ if 
and only if there is an event EeE such that V = {u^fmeE}. 

Let Pr:U [0,1] .denote the probability measure of the base 
model where PrCV) = P(E) if V corresponds to the underlying 
event - E, In practice, of course, the measure Pr is derived 
from known properties of the base model (e.g.,Xg is Markovian) 
rather than from the underlying probability space. If a is an 
accomplishment level then, by the definition of performability 
(Def. 1), 

Pg(a) = P ({03l Yg(a))==a>) 

= Pr ({u^l Yg(m)=a}). 

and hence, by the definition of capability (Def. 2) 

pg(a) = Pr({u| Yg(u) = a}) 

= Pr(T'ha)). (3.2.6) 

The preimage Yc^(a) is referred to as the trajectory set of a 
and its determination requires an analysis of how an accomplish- 
ment level aeA relates back down via Yg^ to trajectories of the 
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base model. Pg(a) is then determined by a probability 
analysis o£ Methods of implementing this process 

are discussed in Section 4. 

The role of a capability function in per formability 
evaluation is similar to that of a "structure function" 
in reliability evaluation. However, even when per formability 
is restricted to reliability, the concept of a capability 
function is more general. The special class which corresponds 
to structure functions may be characterized as follows. Let 
S be a system where Q is the state space of the base model 
and A = {0,1} is the accomplishment set (where 1 denotes 
"success" and 0 denotes "failure"). Then the capability 
function y is structure-based if there exists a structure 
function* <p:Q {0,1} such that, for all ueU, 

Y (u) = 1 iff (p(u(t))=l, for all tcT. 

Thus, when capability is structure-based, a local (in time) 
success criterion can be applied to "snapshots" of u throughout 
T to determine whether u results in system success. Alternatively, 
this criterion can be specified as membership in a prescribed 
set of "success states" R where 

R = (p"^(l) = {qlq)(q) = 1}. 

When system success is viewed in structural terms, as 
in the case in most reliability studies, a structure-based 
capability function will often suffice. On the other hand, 
when success relates to system behavior (e.g., when reliability 

* The usual definition (see [ 6 ] , for example) requires that 

Q = {0,1}^ where the i^^ coordinate of qeQ is interpreted 
as the operational state of the i^h Gomponent of the system. 
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is '’computation-based’' [ 7]), we find that success is generally 
not definable in terms of a local success criterion such 
as tp or R. The following example serves to demonstrate this 
fact. 

Example 1 

Let S = (C,E) where C represents a distributed computer 
comprised of n subsystems, and E represents the computer’s 
workload. Suppose further that system "throughput” (i.e., the 
user-visible work rate of C given E) varies as a function 
of the number of fault-free subsystems. Assuming a constant 
workload E, the operational states of S can be represented by 
the state space 

Q = {0 ,1 , . . . ,n) 

where state i corresponds to "i fault-free subsystems." The 
variation in throughput is described by a function 

t:Q ^ R+ 

where x(i) = throughput of S in state i. 

A;ssuming S is used continuously throughout a utilization 
period T = [0,T], the base model of S is a stochastic process 

Xg = {X^lte[0.T]} 

where each X^ is a random variable taking values in Q. (The 
probabilistic nature of Xg is not an issue here.) As for 
performance, suppose that the user is interested in the 
average throughput of the system, where the average is takeh 
over the utlization period T. Then, depending on the nature 
of the accomplishment set, the performability of S can be 
expressed in several different ways. For a continuum of 
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accomplishment levels, A can be identified with 
capability of S is the function y^:U -> where 





T(u(t))dt/T. 


[0,<») and the 


From a more practical point of vieiv, the user may be interested 
in only a finite nuinber of accomplishment levels 

A - { 0 ,r^,r 2 > • * - 


where 0 < r^^ < ... < r^^ and represents a range of average 
throughputs between r^ and More precisely, the capability 

function in this case is the function where 

r 0 if YjCu) E [0,r^)_ 

72 ^^) = Y r^ if 0 < i < S, and Yj^'(u) e 
L if Y^Cu) E [r^^ ,co) . 

Finally, the user may be interested only in success or 
failure where success is identified with a minimum average 
throughput T. In this case is the function Y3*U ->■ { 0 , 1 } 
where 

T 

1 if r TCuCt))dt/T > T 
‘'0 

0 otherwise. 

For each of the capability functions y^ = Yj^ of fhe 
above example, it is obvious that the value Yg^^^ depends on 
a complete knowledge of the state trajectory u, due to the 
inherent memory of the integration operation. In particular, 
when throughput is degradable (i.e., the interesting case 
where different states can exhibit different positive 
throughputs), it follows that Y5 = Y3 generally not 
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admit to a structure-based formulation. (A simple, t\vo-state 
example will verify this.) This remains true when the 
concept of structure-based capability is extended to permit 
different structure functions to be associated with different 
"phases" of the utilization period (see [ 8 ] , for example) , 
i.e., there exists a decomposition of T into k disjoint 
time periods (phases) T 2 , . . . and there exist structure 

functions , ^ 2 ’ **•» that 

y(u) = 1 iff cp^(u(t)) = 1, for all i e {1,2, ...,k} and 

for all t e T- . 

1 

In general, we have found that a capability function cannot be 
structure-based wherever there exists an intermediate time 
period T’ and a "success trajectory" v (i.e., Y (v) = 1) 
such that the knowledge that a trajectory u agrees with v 
during T' alters the success criterion for u during T - T'. 

Thus, even in the case of two accomplishment levels, the concept 
of a capability function (Definition 2) represents a proper 
extension of relations between state behavior and system 
performance that are typically assumed in the theory of 
reliability . 
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3.3. Capability and Functional Dependence 
3.3.1. Capability and The Model Hierarchy 

As discussed in' Section 3.2., the performability of the 
total system S with accomplishment set A may be expressed as 
the function Pg'-A -»■ [0,1] where 

Pg(a) = Pr(yg (a)) 


and Yg is the capability function. From this formulation it 
may be seen that one method of evaluating a particular PgCa) is 
to i) determine a characterization of the set "V = y”^(a) which 
suffices to ii) calculate the probability Pr(V). In this 
section we consider the problem of expressing for the purpose 
of characterizing the sets V = y ^(a). Section 3,3.2 presents 
one tool, functional dependence, for use in calculating Pr(V). 

Recall that for a system S with trajectory space U and 
accomplishment set A the capability function is the function 
ygtU A where yg(u] is the level of accomplishment resulting 
from state trajectory u. Thus, yg expresses the relationship 
between the base model Xg and the performance model Yg. A 
major problem in expressing this relationship for a given Xg 
and Yg is due to the potential dissimilarities between the two 
models. To ease the problems of transition, a model hier- 
archy is introduced. The hierarchy provides for a step-by-step, : 
top-down elaboration of each accomplishment level a, terminating 
in the desired base model description y ^(a). The performance 
model Yg itself sits above the level-0 (top) model of the 
hierarchy. Each intermediate model of the hierarchy is defined 
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i in a manner similar to that o£ the base model. More precisely, 
; if there are m+1 levels in the hierarchy, the level-i model 
(i=0 , 1 , . . . ,m) is a stochastic process defined in terms of 
two independent processes and X^ referred to as the 
composite and basic parts of the level-i model. The composite 
I part inherits its behavior from the next lower (level- (i+1) ) 
model; the basic part represents new information, external to 
I the level- (i+1) model, that is introduced at level-i. 

For instance, at a certain level in modeling the actual 
hardware of a system, the effects of weather may be of no 
consideration in developing an accurate model. Higher up in 
the hierarchy, however, the effects of weather on the system 
i may have to be considered to adequately reflect the user's 
I needs. Thus, weather would be regarded as a- part of the total 


j system whose effects may be introduced as a basic part at a 
i higher level. After introduction, as a basic part, it supports 
the higher (lower numbered) level composite parts. 


We express this more precisely by 

I ’'c = 

; where X^ . :T2 is a random variable taking values in the 

C I Tr ■ C 

composite state space (at level-i). may be further 
i coordinatized. The projection of X^^ on a particular 
; coordinate is called a composite variable (at level-i). A 
I composite trajectory is a function u^ *^c 

’ .. (t) = xJi * (to) ; the composite trajectory space is the set 

i ■ {u^ j Similar definitions, terminology and 

i notation apply to the basic process X^. To permit extension 
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o£ either or to larger time-bases, a fictitious state 
i is adjoined to each of qJ and Q^. Then, relative to a 
time-base :3 tJ, xJ (similar remarks apply to X^) is taken 
to be the process 


where, if t e Tq-T^, X^ ^ is defined to be the constant-valued 
random variable 

X^ ^ (w) = for all ai e Si . 

Extending both X^ and X^ to U , the level-i model 

is the stochastic process 


X^ = {Xjl t e T^} 


where X^ = (X^ t’^b t^* state space of the level-i model 

is 

Q' = Qc ^ Qb 

and its trajectory space U is represented by the set 

uj « uj = e !J} . 

(With a slight abuse of terminology and notation, will 

be denoted as and referred to as the trajectory space of 
X^.3 In case there are no composite (basic) variables at 
level-i, CQ^) i-S simply deleted, that is (Q^ = ’ 

In these cases the corresponding trajectory space is 
(U^ = U^) . Combining such models, we have : 

Definition 3 : If S is a total system with base model Xg and ^ 

capability funct ion Yg / the collection {X^ ,X^ ,... ,x’’’^} of 
level-0 to level-m models is a model hierarchy for S if the 
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following conditions are satisfied: 

i) x’™' = X^, that is, all variables of the ’’bottom model 
are basic. 

ii) If each model X^ is extended to the utilization 

interval T, the base model Xg is the stochastic process 


Xg = {X^l t e T} 


where X^ ^'^b , t "^b , t ’ * * * , t^ * 


(Accordingly, the state space of Xg is 

Q '** ^^b trajectory space U is 

represented by the set . ) 


iii) For each level i, there exists an interlevel translation 


K. where 
1 


c b 


K- :U^®U?: 
1 c b 


(1 < i < m) 


m b 


U 


m-1 


such that the capability function Yg can be decomposed 

as follows. If u e U where u = * * * * ’'^l^ with 

u . e Uu , then 
X- b * 

YgCu) = ^* * *S-1 *^m"l^ » * * • * 

The terminology and notation of Definition 3 is summarized in 
Figure 1. It should be clear that this formal definition of a- 


model hierarchy follows from the less rigorous approaches in 
[1] and [2], Notice that while the performance model Yg sits 
above the level -0 model, the base model Xg may be completely 
represented by the m+l‘ intermediate level base models. 
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A model hierarchy thus provides a step-by-step formulation 
of the capability function in terms of interlevel translations 
of state trajectories, beginning with a translation of the 
bottom model. It also permits the expression of capability 
relative to higher level (less detailed) views of total system 
behavior. More precisely, beginning at the highest level, 
the i-level based capability functio n (denoted can be 
defined inductively as follows. Recalling that = ^c®*^b 
and letting U^(i) = . .®U^ , if i = 0 then 

Yq:Uq A where Yq(u) = Kq(u). 

If i > 0, then Y^^U^ ® U^(i-l) + A where, if u e , 
u' £ U|^(i-1) then 

YiCu,u') = Yi_iCK^(u) ,u» ) . 

It is easily shown that Yj^ has its intended interpretation, 
i.e., if u and u’ correspond to a base model trajectory v then 
Y^(u,u’) = Y5CV). In particular, if i = m then Yj^ = Ys* 

The capability functions in turn, provide the basis 

for a systematic method of determining y ^(a) for a given 
accomplishment level a. Beginning with level- 0-based cap- 
ability, by (4.1) we have 

(a) = Kg^(a) . 

Assuming that Y^5|;],(a) has been determined, by (4.2) it follows 
that 

Y^^(a) = U _i (k^^(u),u'). 

(u,u’)£Yj__^(a) 
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where (k^^(u),u') = { Cv, u ’ ) | (v) = u}. 

- 1 - 1 

This process is iterated until i=m, yielding y_ (a) = Yc (a). 

m o 

We have described one way of evaluating the sets Yg^Ca) 
by introducing a model hierarchy which permits us to write Yg 
as the composition of several smaller functions, namely the 
interlevel translations. A simplified but relatively complete 
example of this process of evaluating the sets Yg^ (a) is pre- 
sented in Section 3.5. 

3.3.2 Functional Dependence 

Elaboration of the capability function Ygyields a char- 
acterization of the trajectory sets correspondi.ng to a particular 
level of accomplishment a. These trajectory sets may possess 
properties which either aid or hinder probability calculations. 

One such property is the apparent functional dependency of the 
various system components on one another. For instance, the 
knowledge that certain dependencies exist between the opera- 
tional states of a system over time may permit the 
simplification of considering certain states of the system only 
at specific times. The concept of R-dependence (see [1], [2]) 
is a characterization of functional dependency as reflected in 
trajectory sets. 

The remainder of Section 3.3 introduces a further 
generalization of R-dependence, together with the notion of 
"conditional” R-dependence, and some basic properties of these 
concepts. The idea of conditional R-dependence is embodied in 
the question "If C is known, does the knov\fledge of B increase 
the knowledge of A?” For the purposes of the following discussion, 
we restrict consideration to syst^mis w^nbe tiujectories may be 
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sampled at discrete intervals with no loss of relevant information. 

3. 3. 2.1 Basic Definitions 

Suppose' we have a "phased” model (Section 3.4.2) of system 
S. Let S be the system of interest with subsystems 
S^,...,S^. A subsystem may be any part of the total system 
(that is, the computer and its environment) whose behavior 
influences the overall performance of S. An operational state 
of S will be defined in terms of the operational states of the 
subsystems of S. Thus, the sets of states of S considered here 

are "structured" or "coordinatized" sets in the following sense. 
Definition 1 : Let D be a totally ordered (index) set. A 

structured set V is some subset of the Cartesian (cross) 
product of an indexed family of sets {V^|d .e-D}, that is, 

"-d^D Vd (see [3]). 

Note that the ordering on the index set D may be arbitrary. 

However, once chosen, the ordering is fixed. Any set D’c D will 
inherit that ordering, and cross products will be taken according 
to the order of the indices deD' . 

Two examples should help to clarify this definition. In [1] , 
with each subsystem S^(l < i < n) of S was associated a corresponding 
state set Q^. The state set Q of S was defined to be Q ■= 

Q^x...xQ^. This set Q is a structured set where the index set is 
D = {l,2,...,n} with the natural ordering. The collection of 
sets {Q^jl < i 5 n) corresponds to {V^jdeD} of Definition 1 . In 
[2], the set of state trajectories of a system S is described. 

Each subsystem is sampled at k different times. The set 
qf (1 < i 5 n, 1 5 t < k) denotes the set of possible operational 
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h 

states of at the t time sarriple. Then a state trajectory 
for S is an n X k array u = [q^^] where q. eQ^. Let U = 

Uqitlkit ^ Qi> 1 ^ i n, 1 < t < k>. The set U is a 
structured set with index set D = {(i,t)|l < i < n, 1 5 t < k} 
totally ordered, the indexed family of sets is {Q^|(i,t) e D}, 
and U = Throughout this report, the ordering imposed 

on a structured index set as in this example will be row-major 
order. This ordering is defined by 

(a,b) < (c,d) if a < c or (a=c and b<d) 

(a,b) = (c,d) if a=c and b=d 
(a,b) > (c,d) otherwise. 

Due to this linear ordering we can represent a state trajectory 
as either an n x k array or as an (n-k)-tuple. We shall use 
whichever representation is most suggestive in what follows. 

Often an m-tuple (arbitrary m) is used. The methods and results 
described, however, apply to arrays of any dimension and size. 

For any structured set V with index set D one can define a 
family of (single) coordinate projections which, when applied to 
an element v c V, will yield the value of a particular coordinate 

o.f V. ' 

Definition 2. Let V be a structured set, V c X V-,. For 
— ' del) ^ 

each d e D, the projection on d , denoted is the 
function 

; V where 

While the family of projections {^^IdeD} provides a method 
for examining the value of a single coordinate , one would like to 
be able to examine the values of sevcrrl cnordinates simultaneously 


-50- 


In order to make the requisite extension, the notion of a cross 
product function [3] is introduced. 

Definition 3 . Let V be a structured set with index set D, 
let D’ c D, D' 0 and let V^jd e V} be an indexed 

family of functions. A cross product function on V is a 
function 

( X f .) :V X V, 

' deD' deD’ “ 

defined by 

C X where D’ = {d,, ,d. } 

deD' ^1 0 ^ J 

and d-^ < 62 . ^d^ . 

For D' = 0, define 

(Xf 0 ):V ^ { 1 ^} where is an arbitrary constant. 

Using Definition 3 one can define projections on sets of 

coordinates. Thus for V,D,D' and {^^Ide D} as above, define 

= ( X O. 

^ dcD' d 

For example, if V = Rx^xR^ p = {1,2,3} and D' = {2,3}, then 
Cjjt C (8 »9 ,10) ) = (9,10). For an array, an example is 


q(i,i3,(2,3)} 


\ 


"} \ 

1 2 3! 

4 5 6 ! 

J/ 


L 


= ( 1 , 6 ) and 


>0 


12 3 

4 5 6 


= 1 


0 


When iD' I = 1 (D' is a singleton set) the set brackets will 
often be dropped, i.e., 

((8,9,10)) = 5^(8,9,103) = (8). 

For V c V, D' CD define 


5p,(V) = {5n,Cv’)!v- c 


'D 
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In this report, a set will usually be partitioned relative 
to projection equality. This is defined by 


^1 “A 


V 2 if A c D, v^,V 2 e V. 

Thus if we partition V by equality of projection on A, denoted 
V 


TT 


then two elements v^,V 2 e V are in the same block of if 


cases where ambiguity is precluded, we may denote 
^A ^A* Fot example, let D = {1,2,3} and 


V = 


( 0 , 0 , 0 ), ( 1 , 0 , 0 ) 
( 0 , 0 , 1 ), ( 1 , 0 , 1 ) 
( 0 , 1 , 0 ), ( 1 , 1 , 0 ) 
TO, 1,1), (1,1,1) 


Then 


= {{( 0 , 0 , 0 ), ( 0 , 0 , 1 ), ( 0 , 1 , 0 ), ( 0 , 1 , 1 )}, 

{ (1, 0,0), (1,0, 1) , (1,1,0) ,(i, 1,1)}}, 
tT{2,3}= {{0,0,0), (1,0,0)}, {(0,0,1), (1,0,1)}, 

{(0,1,0), (1,1,0)}, {(0,1,1), (1,1,1)}}, and 

V V 

If TT^ and TTg are two partitions of V and each block in 
7T^ is a subset of a block in mg, then "refines" denoted 


A 


Mg 


tTa 5 mg or mg > 


It will be useful to be able to refer to a particular block 
of m^ (A c D) . Thus if s e define 

B^(s) - {q e VU^(q) = s}.. 

The set bY(s) is the set of all elements of V whose projection on 

J\ 

A is equal to s. Clearly, if = {s^ , , . . ,Sj^} then 

^A^ ^®A*^^l^’**“’®AY^m^^' 
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As with partitions, the superscript V will be dropped when the 
meaning is unambiguous. (The notation ® corresponds to 

the R^(j,qj) of [2]). Further to the above example, 

= {( 1 , 0 , 0 ), ( 1 , 1 , 0 ), ( 1 , 0 , 1 ), ( 1 , 1 , 1 )} 

and 

By2,3}((0,0)) = {(1,0,0), (0,0,0)}. 

3.3.2. 2 R-dependence 

In [1], the CARSRA notion of functional dependence 
(see [5]) was formalized as (p-dependence . Its application was 
restricted to the context of structure-based reliability analysis. 
The concept of <p -dependence was subsequently extended in [2] to 
R-dependence. While this extension provided several useful 
generalizations, it still restricted ’’dependence" to a single 
coordinate depending on another single coordinate. The extension 
to subsets of coordinates is given below together with certain 
basic results. It should be noted that previous characteriza- 
tions are special cases of the extended definition. 

The context of our investigation is that one knows something 
about the behavior of the system; that is, one has been given 
some set of states or state trajectories which give rise to a 
certain desired performance of the system of interest. One such 
set might be the set of all "success" states relative to a 
structure function. More generally, these sets may be induced 
by the values which the capability function y [see sec 3. 2] assumes 
Thus, in the following discussion, let Q = Qj^x...xQ^ be a 
structured set and let R 5 Q. R is the set relative to which 



-33- 


R- dependency is defined. Let D = m} be the index set for 

Q and R. 

Definition 4 . If A, B c D then A R-depends on B (denoted 
A B or (A,B) e Aj^) if 3r e ^ such 

that Vq e R[egCq)=s = ^ * 

Accordingly, A is R-independent of B (A lli B) if and only if 
Vr e Ca(R), Vs e Cg(R),3q e R[C^(q) = r and ?g(q) =s]. 

Several items should be noted about this definition. First, 
there are two general modes of dependence (see also [2]). The 
"stronger" mode is dependence as found in "linear dependence" of 
vector spaces. There "A depends on B" means that knowing B tells 
us everything of interest about A. The "weaker" mode is 
demonstrated by statistical dependence. In. this case, knowing 
that "A depends on B" and knowing B tells something about A. 
R-dependence is a type of weak dependence. Second, R-dependence 

y ■ 

is defined relative to the set R under consideration. The fact 
that A R-depends on B does not mean that A R-depends on B relative 
to a set R’ 2 R. Third, the notion of R-dependence is extended to 
sets of coordinates. However, in the attempt to achieve maximum 
generality, references to subsystems have been dropped. Since 
the specific context of our research indicates that each coordin- 

I i " ' 

ate represents an operational state of a subsystem at some parti- 
cular time, the relationships between subsystems may easily be 
inferred . 

The above definition of R-dependence is related to the pro- 
jection approach ( [1], [2]) and the partition approach ([2]) as 
stated in the following theorem. 
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Theorem 1 : Let R ^ Q and A, B c D, The following statements 

are equivalent. 

i) A R-depends on B, 

ii) 3s G such that C^(®g(s)) is a proper subset of 

Ca(R). 

iii) 3r e ?y^(R) and 3s e such that ffi^(r) n ®g(s) = 0. 

Proof ; (i) =» (ii). Suppose A Aj^ B and let r,s be as guaranteed 

in Definition 4. Let q e Bg(s). Then ?g(q) = s which implies 
that ?^(q) # r, i.e., r i 5^(ffijj(s)). But r e ^^(R) so 


K„m. 

(ii) =» (iii). Suppose (ii) and let ffig(s) be the block 
with the property guaranteed by (ii) , s e ^g(R). Then 

3r e 5^(R) such that r i Cy^(®g(s)). If we now consider ®y^(r) 
it must be the case that ®^(r) n ®g(s) = 0. (Suppose not. 

Then 3q e R such that q e ®^(r) and q g ®g (s). But q g ®g(s) 

=* ?;^(q) e ?a(®b(^^^ ^ ^ ^ Therefore, 

r G C^(®g(s)). Contradiction.) | 

i ' ' 

(iii) =» (i) . Suppose 3r e ?^(R), s g' ^g(R) such that 
B^(r) n Bg(s) = 0. Then Vq c R, if q e ®g(s), q i ®^(r). But 
q G Bg(s) « 5g(q) = s and similarly q e ®^(r) « ^^(q) = r. 

Thus 3r G 5^(R), 3s e Cg(R) such that Vq g R[Cg(q) = s =*?^(q) f r] 
Due to the equivalence of the above three formulations, we 


are now free to use whichever is most applicable when deriving 
new results. It should be noted that (ii) in Theorem 1 
corresponds to the "projection" formulation of [2] and (iii) 
corresponds to the "partition" formulation of [2] , each extended 
to deal with subsets of coordinates. 
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Consider the following. Let 

f(0,0.(j,0),(0,l,l,0)) 
„ = I (0,0, 1,0), Cl, 0,1, 0)1 
Uo, 1,0,0), ( 

(1,0, 0,0), I 


D = (1,2, 3, 4}. 


Then Vq e R[[? 2 Cq) = 1 =» ^ '^R However, 

{1} {3}. Looking at coordinate 4, = {R} because the value 

of coordinate 4 is constant. In this case no coordinate or set 
of coordinates may R-depend on {4}. We call such a set of 
coordinates "universally independent" [6]. Now consider R’ = 

R U {(1,1, 0,0)}. Again {4} is universally independent, but 

/ 

{1} {2}. However, Vq e R' (1,1) =* ? 3 (q) ^ 1] 

so {1,2} A^, { 3} . 

Several observations should be made regarding the nature 
of R-dependence. First, R-dependence is symmetric, that is, 

VA,B c D if A B, then B Aj^ A. This fact is easily seen from 

(iii) of Theorem 1. Second, if U^(R) 1 = 1, A C D, then A will 
always be R- independent of any other set B c D, including A 
itself (i.e., A is universally independent) , However, VA c D 
such that :lg^(R)j > 1, A R-depends on A. This is easily seen 
from the fact that if | (R) I > 1 then 3r,s £ C^CR) such that 

r ^ s. Then Vq e R[^^(q) = r => C^(q) = t s]. R-dependence is not 
transitive. Consider the set 

f(0,0,0) 

n ^ J (1,0, 0)1 

\ (0,0,1) f 
^( 1 , 1 , 1 )) . 

Then {1} {2} and {2} Aj^ {3} but {1} {3}. Hence, in 

general, R-dependence is neither reflexive nor transitive. 
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The following result is useful in establishing other 
properties of R-dependence. 

Leinma 1 . Let A,B c D. If A B then VA' ^ 

A' Aj^ B». 

Proof: Suppose A B. Let A' 2 A, B’ 2 B. We know that 

3r e C^(R), 3s e ?g(R) such that 


B^(r) n Bg(s) = 0. 


Since A c A' , ir^, < that is each block in is a subset of 

some block in and each block in is a superset of some 
block in • Similarly for B’ and B. Hence 3r’ e 
3s’ e Cgi (R) such that 

B^, (r' ) n Bg(s) ^ 0 

and so . • 

n Bg,Cs’) = 0. 


Therefore A* Aj^ B' . Intuitively, this lemma says that if A R-depends 
on B, then A R-depends on any superset of B. 

The notions of ’’strong'* and ’’weak" dependence were introduced 
above, R-dependence itself is a weak form of dependence, of which 
a strong form is a special case. This special case is distinguished 
as follows. Consider (iii) of Theorem 1. Suppose that for A, 

B Q D where 1 5^(R) I >1 and ifg(R) j >1, < Tig^. Then 

Vr c C^(R)-3s e Cg(R) su^^^ £ ®g(s). Clearly A R-depends! 

on B. But also, Vq e R.[C^(q) = r => CgCq) = s] for r,s as desig- i 
nated above. Thus if one knows the values of the coordinates in 
Aj one knows the values of the coordinates in B. This is precisely 
a characterization of a type of strong dependence. Thus if 
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Itt^I >1, arid ^ R-depends (strongly) 

on B. Note that while the weak form of R-dependence is 
symmetric, the stronger form is not necessarily so. 

So far the notion of a set of coordinates R-depending on 
another set of coordinates has been introduced. Eventually, 
one would like to have a quick test to discover, given a 
structured set with its index st, whether any dependencies 
exist. In order to cliaracterize a set ^^^hich contains depen- 
dencies, the notion of an ''R-dependent" set of coordinates has 
been introduced. 

Definition 5 . Let C c d. C is R-dependent if 3A,B c C 
where A n B = 0 and A R-depends on B. C is R- independent 
if C is not R-dependent. 

Essentially, this says that C is R-dependent if some part 
of C R-depends on some other part of C. The requirement that A and 
B be disjoint insures that a set is not characterized 
as dependent simply because some subset of coordinates R-denends 
upon itself. (If this qualification was not made , then only universally 
independent sets of coordinates would be R-dependent.) 

Theorem 2 : A coordinate set C is R-dependent if and only if 

3i £ G such that {i} C-{i). 

Proof : (c=) Suppose that 3i e C such that {i} G-{i}* By 

choosing A - {i} and B = G-{i}, G is R-dependent by Definition •6. 

(=») Suppose G is R-dependent. Then 3A, B £ G such that 
A n B = 0 and A Ap^ B. This means that 3r e ?^(R) , 3s e ?g(R) 
such that 

(r) n Bg(s) = 0 . 



Let A = B = { j ^ , . . . , j and s = (s^ s . Notice 

Bp(s) = B. (s-,) n B. (s«) n...n®- {s '). (There is nothing 
^ 3l -L J 2 ^ ^ Z ^ 

special about using B. The argument is the same whether we 

choose to start with A or B.) Then (r) fl B- (s, ) D...nB. (s' ) 

Jl ^ J ^ 

Consider B. (r) n B. (s,). This intersection is either empty or 
■A. ^ 1 

non-empty. If B^(r) fl B^ (s^) = 0 then A. From 

Lemma 1, A c so and we are done. 

Suppose fl Bj (s^) 0 0. Then 3q e R such that ?^(q) = 

and ? • (q) = s, . Let A' = A U {j-,}. There exists a t e 5a i (R) 

j 1 ± ^ 


such that 5 


A^^A 


t ( f ' ) ) ~ ^ ^ ? -i ^ A i.e.. 


"A 


, (t) = 


B(r) n Bj (s^) 0 0. 

Consider now B. , (t) fl ffi • (s^). Either this intersection is 

A 

empty or non-empty. Employing the above arguments, either {^ 2 ^ 

C-{j 2 ) or 3t" e 5^^, y j (R) such that ^(t") = 

B^,Ct’) n Ij CS 2 ). Now look at ^ |(t") n B- (s^) and 

2 2 3 

repeat. The process must terminate at some i.e., 


R-depends on i.e. , 


(t*) n B, (s^J = 0 


j '• m- 
•’ m 


A U . . 0 

because, at worst, 

(i^(r) n Bj (s^) n...n b^ (s^_ji3) n b^ (s^^) = 0 . 

Therefore, C is R-dependent if and onXy if 3i e C such that 
{i } C- { i} . 

Corollary : D is R- dependent if and only if 3i e C such that 

(i) R-depends on D-{i}. Conversely, D is R- independent if and 
only if Vi e D, {i} is R- independent of D-{i}. 
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To further the understanding of R-dependence and to continue 
the search for simple characterizations of R-dependent 
(R-independent) coordinate sets, we now turn to consideration of 
R- independence . From results derived above one can immediately 
make the following characterization. 

Theorem 5 : Let A,B c d be disjoint sets and let f be a coordinate 

mapping such that 

(Such a map 1' always exists.) Then A is R-independent of B if 
and only if I' y B^^^^ " 

Proof : Suppose that A B. It suffices to show that 1' is onto. 

Let r e ^^(R), s e By negation of Definition 5, 3q e R 

such that ?^Cq) = r and ?g(q) = S. Accordingly, U " 

C^A^^^ = (t,s) . 

Conversely, suppose 'F is onto. Then Vr e 
Vs e 5g(R), 3q e R['F(5 a y " (r>s)]. But r e and 

s e fg(R) so 3q e R[^^(q) = r and ?g(q) = s] . Hence A^f^B. 

This theorem says that if two disjoint sets A,B are such 
(A,B) i then the projection relative to A and B can be written 
as a cross product. More precisely, the coordinate mapping 'F 
re-orders the set A U B such that all elements of A appear before 
the elements of B. (The union operator preserves the original 
ordering of D in A U B and so may interweave elements of A and B.) 
The re-ordering allows. one to write the (re-ordered) set as a 
Cartesian product. 
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For example, let D = {1,2,5} and let R be as given in 
Table I where, for each q e R we associate a unique label to 
simplify notation. Let A = {1,3}, B = {2}. Then A U B = D. Then 

TT^ = {{ac} , {bd} , {eg} , {£h} } and 
TTg = { {abef} , {cdgh} } . 

Each block of has a non-trivial intersection with both blocks 
of TTg so If {0,1}^ such that T ( (q^ , q 2 ,q 3 ) ) = 

Cqi»q3»q2^ clear that 4^(5^ ^ " ^A^^^ "" ^B^^^ " {0,1}^ 

X {0 , 1} . 


R 

label 

(0,0,0) ^ 

a 

(0,0,1) 

b 

(0,1,0) 

c 

(0,1,1) 

d 

(1,0,0) 

e 

(1,0,1) 

f 

(1,1,0) 

g 

(1,1,1) 

h 


Table I 

Further examination of R shows that R is in fact a Cartesian 
set. How do such sets fit into the notion of R-independence? 
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The relation is demonstrated in Theorem 4 below. However, in 
order to ease the discussion we first prove the following useful 
result. 

Lemma 2 : Let A,B c D. If A then VA' c A, MB' c b, 

A’ B'. 

Proof : Let A,B be as above, A' c A, and B’ c B. Because A 

is R-independent of B, Mr c , Ms e fg(R)) 3q e = r 

and CgCq) = s], that is Mr e and Vs e Cj^CR), ®^(r) fl 

* 3 ( 5 ) ^ 0. Reflection shows that if r' = 5^,(B^(r)) e (R) 
then ®^Ct) £®^,(r'). Thus for r' , s' so described (s' = 

? 3 , (Bg(s)), (r') n ®g, (s') ^ 0. 

Since each r e Cj;^(R) has an associated r' e (R) (similarly 
for s,s') we see that 

Vr E 5^(R),Vs E C 3 (R)[ffi^(r) n ffig(s) ^ 0] - Mr' e ^^,(R),Vs’ e 5g, (R) 

Therefore A' is R-independent of B'. 

This says that if A is R-independent of B then any subset 
of A is R-independent of any subset of B. This knowledge is used to ob 
tain the following characterization of an R-dependent set of coordinates . 
Theorem 4 : A coordinate set Ac D is R-independent if and only 

if a^'A^a^^^* 

Corollary : R is Cartesian if and only if Vd e D, {d} is ♦ 

R-independent of D-{d>. 

Proof : Suppose A is R-independent, that is, Va e A, {a} is R- 

inddpendent of A-{a}, Relabel the elements a^ »... of A as 
For a = I, by Theorem 3, we have ^(^^(R)) = ^^(^^ ^ 
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?A-{i}CR)* Since a = 1 is the first element of A, I* is just 
the identity function, i.e., 

Consider the coordinate set A' = A-{1}. Then {2} is R-independent 

of A* -{2} since, by assumption, {2} is R- independent of A-{2} 

and so by Lemma 2 {2} is R-independent of A'-{2} (A'-{2} c A-{2}). 

Repeating the above argument with a = 2 we derive CR) = 

C (R) X ?a’-{ 2}^^^ therefore C^CR) = S^^CR) ^ 

2 

CAf-{ 2 }CR)* Continuing in this fashion we obtain 


Conversely, suppose a c A and let 

be the coordinate transformation of A which replaces the first 
coordinate of A by a and increases by one the rank (in the 
ordering) of every other coordinate in A. (For example, 

'^3 ^ ^^1 ’ ^2 * ^ 3 * ^4^ ^ ~ (Rj > Rj * ^2 ’ ^4 ^ ^ 

\C5aW) “ EJR) X 


By Theorem 3, {a} is R-independent of A-{a}. 

From the corollary to Theorem 4 we see that R- independence 
of the coordinate set D characterizes a Cartesian structure for 
R, This yields a straightforward computational test for 
discovering whether D has an absence of R-dependent coordinate 
subsets;, namely, test R to see if it is Cartesian. The fact 
that R-independent coordinate subsets correspond to Cartesian 
projections (Theorem 3) likewise provides a simple, test for 
the R- independence of a pair of coordinate sets. 

In any large system, the number of disjoint coordinate 


sets which may R-depend upon each other is also very large, and 
not all the dependencies reflected may be relevant to the 
analysis. One area for further investigation is in determining 
which coordinate sets to examine. Along with this problem is 
the problem of characterizing the strength of dependency 
between sets. Given A Ap B, one possible measure is the ' 
minimal number of elements of Q which must be included in R 
so that A is R- independent of B. This is important because,' 
in general, the stronger the dependence between a set of 
subsystems, the likelier it is to be able to use that set as 
a subunit in decomposing the overall system. 

3 . 3 . 2 . 3 Conditional R-Dependence 

The idea of conditional dependence was characterized in 
Section 3.3.2 by the question "If C is known, does the knowledge of 
B increase the knowledge of A?" If so, we say that "A depends 
on B given C." More formally, in the context of R- dependence , 
we introduce the following. 

Definition 6 : For A,B,C c D, A R-depends on B given C (denoted 

(A B)lC) if 3t e ?^^(R), 3s e CgC®c(t)),3r e C^^(ffi^(t)) such 
that Vq e Bj.(t}[C^(q) = s =» ?y^(q) f r] . 

This concept of conditional R-dependence can be likened, to 
the concept of conditional probabilities. The closest parallel 
lies in the observation that in both cases,; by reducing the unive 
of discourse to the particular subset (subpopulation) under 
consideration, all theorems about "absolute" R-dependencies 
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(probabilities) once again hold. In effect, the presence of 
conditional R-dependence may be alternately regarded as showing 
the existence of R* -dependence for particular choices of R’ , 
that is, (A B)jC if 3t e 5q(R) such that A (t) -depends on 

B. 

For example, let D = (1,2, 3, 4), A = {1,2}, B = (4), 

C = { 3} , and 

((O.I.O.O)") 

(1,0, 0,0) j 

R = / (1,0, 0,1) ) . 

)(0,l,l,0)f 
( 0 , 1 , 1 , 1 ) , 

(( 1 , 0 , 1 , 1 ), 

Then for ^^Cq) =0 (i.e., t = (0) in Definition 7), Vq c B^CO), 

^j 5 ^(q) = (0,1) =» ?b(<I) ^ Hence ({1,2} Aj^ {4})|{3}). Note 
that B^CO) = { ( 0 , 1 , 0 , 0 ) , ( 1 , 0 , 0 , 0 ) , ( 1 , 0 , 0 , 1 ) } so, alternatively, 

{1,2} B 2 ( 0 )-depends on {4}. 

One property that conditional dependence should have folloivs : 
if B <= C, then A should be R-independent of B given C. This is 
intuitively justified by the argument that because knowledge carried 
by B is contained in the knowledge carried by C, no further informa- 
tion is being added. That this is a property of ' conditional R- 
dependence as in Definition 6 is shown in Theorem 5. 

Theorem 5 : If A,B, C £ D and B 5 C then A does not R-depend on 

B given C (A is R-independent of B given G) . 

Proof : Let t e ^(^(R). If B c c then 5g(B^(t)) = {Sq} for some 
Sq e Cg(R), i.e., Cg takes on but one value. Let r e C^(Bj.(t)). 

We must show that 3q e B^(t) such that 5 _^(q) = r (since 
Vq e B^(t), ^g(q) = Sg). But this is true by definition of 
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?AC®cCt))‘ Hence A is R- independent of B given C when B c c. 

One may verify that in the above example that ({1,2} {4}}|{3,4}. 

The study of the properties of conditional R-dependence 
has just begun. It is hoped that it will provide a powerful 
tool for use in system decomposition. One area for further 
investigation is the delineation of the properties of con- 
ditional R-dependence. Another area is suggested by the 
similarities between probabilistic notions and R-dependence 
concepts. What is the relationship between existing R-depen- 
dencies and the underlying stochastic processes? How can such 
relationships be discovered and used? These questions guide 
our further research. 
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3.4 Computation of Trajectory Set Probabilities 

As discussed in Section 3.2, if S is a total system, the 
performability of S for accomplishment level a e A may be 
expressed as 

Pg (a) = Pr (y"^’ (a) ) . 

The research reported in this section concerns the evaluation of 
probability function Pr for a given trajectory set y~^(a). During 
the previous reporting period, this problem was studied for the 
special case when the capability function y is phasewise structure 
based (see [ 2 ] , Section 3.2,2) in the sense of Esary and Ziehms 
[8]. In this case, we proposed and illustrated an iterative 
method of computing the trajectory set probabilities associated v\rith the 
"success" level of a two-level accomplishment set. (See [2], 
pp. 43-47.) During the current reporting period, we have inves- 
tigated extensions of this computational method to i) any "Cartesian" 
trajectory set, and ii) phased base models that are not necessarily 
stationary Markov processes. 

3.4.1 Phased Models 

Borrowing from the terminology of earlier work concerning 
"phased missions" (see [ ], for example) , a model of a total 

system is phased if the observation times in the utilization 
period is finite, i.e., 

T - {tQ,t2»...>tj^} 

where tQ < t^^ < ... The interval 1 ^ m < kj 

is referred to as the m^ phase . Although phased models appear 
at the outset to be quite restricted, this is not the case, for 


1 





given a non-phased model, there often exists a phased model where 
performability is the same as that of the non-phased model. In 
general, system models having the same performability will be 
referred to as equivalent models . In other words, a total system 
model with capability function y and base model probability 
function Pr is equivalent to a second model with capability 
function x and probability function Pr if and only if for all 
accomplishment levels a e A 

Pr Cy“^(a)) = Pr (y“^(a)) . 

Much of the traditional reliability analysis is facilitated by the 
fact that equivalent phased models (often single -phased) can ,be 
used to evaluate system reliability. 

To illustrate this point, consider a typical continuous time 
Markov model of a TMR system (with a perfect voter) where the 
simplex system has failure rate X, i.e., the Markov process 
Xg = e T} is represented by the graph 


lo 

3X 

Y 

20 

2X 




If the Utilization period is T = [t^jt^^] and the accomplishment 
set is A = {a^ja^^} (where a^ = success and a^^ = failure) , then - 
the capability function is given by: 


IgCul = 


if u(t) e {1 , 2} , V t e T 


^a ^ otherwise 
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Accordingly, 

PgCap) = PjlCYg^CaQ)) = _P£({ulu(t) e U,2}, V t e T}). 
However, since is structure based and the probability of 
entering a success state (1 or 2) from tlie failure state (3) 
is zero, there exists a one-phased model having the same perform 
ability. More precisely, consider the base model 


X. = {X. , X. } 

i.e., the new base model is a pair of random variables describing 
the state of the original model at the beginning and the end of 
the utilization period. Furthermore, if we let y^ be the function 


YgCu) 


0 


if u(tj^) e { 1 , 2 } 


a^i otherwise. 


then 


" Pr(yg (a^)) 

= Pr(X. E {1,2}) 

1 

= PrCX. e {1,2}) 

1 

= PrC{u|u(t^) € {1,2}}) 

= Pr({u|yg(u) = a^}) + 

Pr ( {u|Yg(u) f a^ and u(t^) e {1,2}}). 

Since Y 5 CU) f a^ and u(tj^) e {1,2} imply that ^({u}) = 0 , 

PgCao) = PrCYgl(ap)) 

= Pr ({ujygCu) = a^}) 

Thus, the single phase model is equivalent to the original model 
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permitt ing performability (which, in this case, is reliability) 
to be computed in terms of the state of the system at the end 
of its utilization period. 

Such single phase equivalents (or multiphase equivalents 
in the case of phased missions) exist whenever traditional 
reliability modeling assumptions are made with regard to the 
intra-phase processes. Accordingly, we have continued our in- 
vestigation of phased model evaluation methods, where the results 
obtained during the current reporting period are discussed in 
the subsections that follow. 


3.4.2 Performability Evaluation of Phased Models 

Let S be a phased total system, model (see Section 3.4.1) 

with base model Xg, state space Q = {q^ »q 2 > • • • utilization 

period T = {t^ , t^, . . . ,t^} . Since the utilization period is 

finite, the trajectory space of S can be represented by U = Q = 

,Q X . . . X Q and the capability function is a function 
k’' times , 

Y : Q A 


where k is the number of observation times. With regard to eval- 
uating the probability of a trajectory set y"^(a) c vve have 
found that Cartesian trajectory sets are amenable to interactive 
methods of evaluation. Accordingly, by decomposing y ^(a) into 
a finite number of disjoint Cartesian subsets, Pr(y ^(a)) can be 
evaluated in a straight-forward manner. 

k 

As defined in Section 3.3, a trajectory set V £ Q is Cartesian 

Ic ^ 

if V = X C.(V) where C • (V) is the projection of V onto the i 

i=l ^ > 
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coordinate. Note that the projection provides one with a 

method for examining the state of the system at the i^^ observation 
time tji^ with respect to the trajectory set V, Thus, the coordina- 
tization system used here is temporal rather than the more 
general case (both temporal and spatial) discussed in Section 3.3. 

As demonstrated in Section 3. 3. 2. 2, Cartesian sets are 
characterized by the notion of R-independent coordinate sets. 

Thus, a test for determining whether a set is Cartesian is to 
determine R-dependencies between its coordinates. 

For each ?^(V), let = {u e: Q^]5^(u) e C^(V)} be the set 
of all state trajectories in U that assume values in Cj^CV) at 
the i^^ observation time. Using the notation developed in the 
previous section, can be expressed as 


B. = 
1 


U bY(s) 

seC-CV) 


Moreover, the probability of HB^ can be expressed as a one-dimen- 
sional distribution of the base model Xe, i.e., 

Pr(Bp = P({a)jX^_ (03) e (V)}) 

(see Section 3.1). 

When V is a Cartesian set, it is clear that V can be repre- 


sented as the intersection of those rather elementary sets , i.e , , 

k . 

qiCv) 

k ' 


V = .X 
1=1 


IB. 

1=1 1 


By iteratively applying the definition of conditional probability, 
it is also clear that 
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k-1 k-2 

PrCV) = Pr(Bj^ I n B.) Pr(B, f pi B.) 

i=l i=l 

... Pr(B2!®;^)Pr(B^) . 

Since each term in the product involves only elementary sets 
B^, we show in the following discussion (see equation 3.4.1) 
that Pr(V) can be determined iteratively using matrix multiplications. 

Without loss of generality, we suppose that the initial time 
tg = 0 and we let 1(0) denote the initial state distribution 
for the base model, that is, 

1(0) = [p^(0),..., V^(0)] 

where P.(0) = Pr[X q • ] » 1 ^ i < n. Let P(m) be the state 

1 tg 1 

V - t 

transition matrix of the i^V phase of the base model Xg, i.e., 

/ P(ni) = [Pij(m)] 

where P^ . (m) = Pr(X^ - q. |X^ = q^) . 

For each phase m (1 ^ m < k) , let G (m) denote the character- 

■h In 

istic matrix of the m^ phase, i.e., G(m) = [gj^j(m)] where 

1 if i = j and q. e C^(V) 

gjifm) = 

0 otherwise 

to 

For the final phase, we define a characteristic vector 

F(k) = 

where 

fi(k) = 

Then as a special case of the more general formula proved in 
Theorem 3, the probability of the Cartesian set V can be formu- 
lated as ; 
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Pr(V) = r(0) n P(i)G(i) P(k)F(k). (3.4.1) 

i=l 


Given the above result concerning Cartesian sets, an important 
step in evaluating Pr(y ^(a)) is to express y”^(a) in terms of 

_ -1 "'l 

Cart’e'siah" components , Thus, if y” (a) = LJ V. where 

i=l ^ 

{V^ I i = 1,2 m> are Cartesian sets and n Vj = 0 if i ^ , then 

Pr(Y‘^(a)) = E Pr(V.) 

i = l ^ 


and hence performability can be calculated by summing the proba- 
bilities of Cartesian sets. The existence of the set {V . j i = 
1,2,... ,m} can be shoivn as follows. Since each singleton set 

{u e U} is a Cartesian set, by definition, y (a) = U {u} 

uey"'^(a) 

satisfies the above conditions. However, in practical situations 
where y”^(a) is very large each singleton set will have negligible 
probability and the cumulative error resulting from the sum of a 
large number of single probabilities will generally be intolerable. 
To avoid this enumeration approach, we have developed a method 


(see Section 3. 5. 4. 2) for determining | i = l,...,m> in a systematic 
manner, using a hierarchical formulation of the capability function. 


3.4,3 Simplification of Phased Models 

Let S be a phased total system model with base model 

Xs = li - 0,1,. . . ,k) - 

where tg < t^^ < ... < tj^ and where each random variable X takes 
values in the state space 

Q “ ^^1*^2 * * * * ’^n^ ‘ 
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Since the phased base model may have been derived from a 
larger equivalent model Xg (e.g., a continuous -time Markov model), 
the state space Q may be much larger than needed to distinguish 
accomplishment levels via the capability function of the phased 
model. Accordingly, we have continued to pursue our investigation 
of state "lumping” methods which can further simplify the evalua- 
tion of state trajectory set probabilities. (See [12], for example, 
where a Markov model with 146 states is reduced to a model with 
11 states.) In particular, we have conducted a more detailed 
study of "Michigan lumping" wherein different lumping relations 
can be associated with different phases of the phased model. 

In general, we define the lumping relation of phase m 
(1 < m k) to be an equivalence relation on the state space 
Q. The partition of = is denoted 

= {ml ,m2 , . . . ,mb^} 

where is the number of equivalence classes (lumps) of the 
lumping relation Each equivalence class mi is a subset of 

the state space Q where, if r e mi, then 


mi = {q e Q jq r) . 

To illustrate, suppose S is a triplicated system with state space 
Q = {0,1} , where q = (0,0,0) means all three subsystems are 

■ ■ ■ ■ i I ■ ' 

fault-free and, at the other extreme, q = (1,1,1) says that all- 

three subsystems are faulty. Supposing further that there is 

only one phase with the lumping relation 

q E^ r if q and r represent the same 
number of faulty subsystems 
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then the corresponding partition (lumping) is given by: 

= {11,12,13,14} 

where 

11 = {( 0 , 0 , 0 )} 

12 = {( 1 , 0 , 0 ),( 0 , 1 , 0 ),( 0 , 0 , 1 )} 

13 = {(1,1,0),(1,0,1),(0,1,1)} 

14 = {(1,1,1)} . 

In general, given m lumping relations, one for each phase, 
we can associate a lumped base model Xg with the original phased 
base model Xg by defining Xg as follows: 

Xg = {\\m = 0,1, .. . ,k} 

where if m = 0 then 


X„ = li if X. e li (1 < i < b, ) 


and if 1 < m ^ k then 


X = mi if X^ e mi (1 4 1 < b ) . 
m t„ ^ ^ m'' 

m 

(The variables X , 0 < m < k, are the random variables of the 

m 

phased base model Xg . ) For a lumped model to be useful, it must 
be compatible with the capability function y in the sense that 
system performance can be determined knovnng the state trajectory 
of Xg at times t^ , t 2 , , . . , t^^. More precisely, if U is the trajectory 
space of the phased model then two trajectories u, u' e U are - 
equi valent (denoted u = u') if u(t^) 5^ ul (t^) , for m = l,2,...,k. 
Then we require that the lumping relations be such that 

u = u’ implies y (u) = y(u’) 
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for all u, u' e U. Under this condition, the trajectory space 
U o£ X can be effectively regarded as the space 

U - X Q 2 X . . . X 

and the induced capability function y:U A is given by 


Y(li2>2i2,»*«,kij^j( 'Y'(u) 

where u is any trajectory in U such that ~ l,2,...,k. 

Finally, if V c u, the induced probability function Pr of the 
lumped model is given by 


Pr(V) = Pr(W) 


where 


W = 


u e U 


for some (li^ , 2 i 2 , . • • ^ Vj 

u(t ) e mi , m = l,2,.,.,k 


In particular, it follows that 


Pr(X^ = mi) = Pr(X^ e mi) 

m 


and, more generally, that 


PrCX-, = li-|,...,X, = ki, ) = Pr(X. e li, 


(3.4.2) 


,X e ki, ) (3.4 


Given the above definitions of y and Pr, it is easily verified 
that the lumped model is equivalent to the original phased model. 
Although the probability function Fr is well defined for arbitrary 


lumping relations, the lumpings may be such that Fr is very diffi- 
cult to evaluate, due to the fact that lumping does not, in general, 
preserve special stochastic properties. For example, if the phased 
base model Xg is a stationary Markov process, a lumped model Xg is 
generally neither stationary nor Markovian. This problem is 
addressed in the subsections that follow, beginning with the case 
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where the lumpings are unrestricted. 

We suppose first, as in the previous subsection, that the 
structure of the trajectory set in question is Cartesian, that 
is , V £ U where 

k 

V = X (V) , 

i=l 

or, alternatively, letting 

V = X R 2 X . . . X , 

Then the objectsof study are a) the probability 

Pr(V) = Pr(X^ £ R^, e R 2 , . . . , X^ e Rj^) . 

and b) its formulation in terms of the probability function Pr 
of the (unlumpedj phased model. 

We begin by considering the more restricted problem, that 
of evaluating the one-dimensional probabilities 

Pr(Xj^ e R^) , A = l,2,...,k . 

Relative to the m^^ phase of the phased model, define 

P(m) = [p^ j Cm) ] 

where 

p..(m) = Pr(X e mj|X e mi) , 

^m-1 

i.e., the probability of being in lumped state mj at the 
observation time given that the phased model state is in lump nii 
at the beginning of the m^^^ phase. Thus p (m) is the initial to 
final state transition matrix of the m^^ phase. For all but the 
final phase define 

H(m) = [h..Cm)] 
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where 

h..(m) = Pr(X E Cm + l)j|X e mi) , 
m m 

i.e., the probability of being in state (m + l)j at the beginning 
of the m + phase given that the lumped model is in state mi 
at the m^ observation time. Thus H(m) is the interphase tran - 
sition matrix between phase m and phase m + 1. Note that the 
above matrices are definable beginning with an arbitrary process Xg. 

Let 1(0) be the initial state probability distribution of the 
lumped model Xg, i.e., 

I (0) = [p3^,P2> • • • .Pb^l 

where 

p. = Fr(X, £ li) = Fr(Xo = li) 

0 

Let J(5-) be the state probability distribution of Xg at the end of 
phase 5,, i.e., 

J(Ji) ~ [r,,..., r, ] 

where 

r^ = 

f" Vi 

is the probability of being in state £i at the observation 

time. Then 

Theorem 1 ; ♦1(5') = 1(0) ^ 

[m=l 

Proof ; We prove this by induction. For £ = 1, 

J(l) = I(0)P(1) - [a^,...,a. ,...,a^^l 

where 

b 

a. = Z Pr(X. e li) • Pr(X. e Ij |X e 11) 

1 i=l ^0 ^1 ^0 
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E Pr(X. E Ij, £ li) 

i=i h % 


= Pr(X^^ e Ij) = Pr(X^ = Ij) 


Suppose that the formula holds for a, 1 ^ < k, we have to 

show that 


JCa + 1) = 1(0) 


n P (m) H (m) 
b=l 


P(ii + 1) . 


When multiplied by H(5.)P(S-+1) on both sides, the equation for 
J(?,) becomes 


J(£)H(£)P(JO = 1(0} 


n p(m)H(m) 
m=l " ■ 


P(il+1) 


When we iteratively compute the matrix product on the left hand 
side, beginning from the left, then the first two terms become 


where 


J(fi/)H(A) — [c-|,...,c.,..., c-i ] 
^ J °£+l 


I 


c. = E Pr(Xp = JLi)-Pr(X. e (il+l)j]X e ili) 
3 i=l ^ 


= E Pr(X. e Jli}*Pr(X. e (5,+l)j[X. e ii) 
i = l 


""I „ , , 

= E Pr(X e (il + l)j n ii) 
i=l .a 

= Pr(X £ (l’-+l)j) 

is the probability of being in state (i,+l)j at the beginning of 
the i+1^^ phase . 
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Finally, multiplying the product by the Jl+1^^ phase transi- 
tion matrix, 

J(Z)H(£)P(£+1) = [d,,...,d.,...,d, ] 

J '’£+1 

^Jl + 1 

d. = Z Pr(X e (£+1) i)* Pr (X e(J?-+l)j|X. e(^+l)i) 

^ i=l £ ^£+1 


where 


£+1 


= Z Pr(X e C£+l)j , X. e (£+l)i) 
i=l ^£+1 ^£ 


= e (£+!):) = Pr(X^^^ = C£+Dj) 


Thus 


J(5,+ l) = J(il)H(£)P(il+l) 

£ 

= 1(0) 


n P(m)HCm)’ 
m=l 


P(£+l) 


which completes the proof. 

If we compare equation 3.4.4 with the formula on' page 44 of 

the Second Semi-Annual Status Report, we note that it does not 

involve the G and F matrices. It is used solely to compute the 

probability (mass) function of the random variable X^^ (the state 

th 

of the lumped process at the £^ observation time). Also, it is 
important to note that this formula applies to an arbitrary 
phased base model Xg and, in particular, the lumped process Xg 
need not be Markov. * 

Let us now consider the problem addressed at the outset of 
this subsection, i.e., the probability evaluation of a Cartesian 
trajectory set 


V = X R2 X ... X Rj^ C U 
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where 

Pr(V) = Pr(X^ £ X 2 e R 2 , Xj^ £ Rj,) . 

Extending the G and F matrices of the previous subsection to 
the phased base model Xg, let G(m) denote the characteristic 
matrix of the m^ phase (1 ^ m < k) , i.e., 


G(m) = [g..(m)] 


g • • (in) = ■ 

0 otherwise , 


and for the final phase (m=k) we define a characteristic vector 

■fi(k) 

FCk) = : 

V'’ 

where r 

1 if ki E R, 
f.(k)=] ^ 

^ 0 otherwise . 




I For each Rj, , A = 1,2,... ,k, let UR^ be the union of all the 

equivalence classes contained in R^, i. e ., 

UR. = U ^ ^ ^ ^ ^ ^ ^ 

ilieRj 
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For each phase m, except the final phase, define 

K(in) = [k^j(m)l, m = l,2,...,k-l, 

where 

k..(m) = Pr(X e (m+l)jiX e mi, X. e UR^ , , . . . ,X. e UR, ) 

^m-1 ^ ^1 ^ 

The matrix K(m) is similar to the interphase transition matrix 
H(m) except that the interphase transition probabilities are now 
conditioned by the first m-1 components of the Cartesian set V.' 

Hence K generally depends on V while H does not. (Conditions 
under which K can be identified with H are a subject of later 
discussion.) 

To compute Pr (V) in terms of the matrices P(m), G(m), F(m) 
and K(m), we assume further that the lumping relations are 
compatible with the phased model Xg to the extent that transition 
probabilities are invariant over the states in a lump. More 
precisely, we say that Xg is strongly lumpable with respect to 
if for all mi, mj e the probabilities 

- Pr (X^ e mj IX^ = q) 

I m . , m-1 .. I 

are the same for all q e mi. A lumped model Xg is stro n gly lumped 

if Xg is strongly lumpable with respect to all m = l,2,...,k. 

Although we refer to such lumping as ’’strong", it can be 

I . . , , 

shown that the usual type of stationary Markov chain lumping (i.e., 

where the Markov property is preserved relative to all initial 

state distributions) is strong in the above sense (see, for 

example, [ 14 ], p. 124). In particular, all the work we have 

seen concerning Markov model simplification for reliability 
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analysis has utilized strong lumping. Thus, strong lumping, as 
defined above, is not a severe constraint. Indeed, our concept 
of a strongly lumped process Xg is weaker than the usual type 
of strongly lumped process which presumes the use of a single 
lumping relation throughout the utilization period. 

In terms of the above concepts we are able to prove the 
following important lemma. 

Lemma 1 : If Xg is strongly lumped then 


Fr(X^ e 


,Xj^ E = 1(0) 


k-1 

n PCm)G(m)K(m) 
m=l 


P(k)F(k). (3.4.6) 


Proof : We show this by induction. When k = 1, 

I(0)P(1)F(1) = Z Pr(X = Ij) = Pr(X, e R,) 

Suppose that the formula holds for k = A, that is 


Fr(Xj^ e R^,X 2 e R 2 ,... e R^) 


= 1 ( 0 ) 


Si-1 

n P(m)G(m)K(m) 
m=l 


P(£)F(il). 


Then 


1 ( 0 ) 


n P(m)G(m)K(m) 
m=l 


P(il + l)F(il + 1) 


1(0)1 n P(m)G(m)K(m) P(Jl)G(£) 

V=1 


K(Jl)P(i,+l)Fa+l) 


where 


= A^K(£)P(il + l)F(Jl+l) 


“ [3^^ > • • • » » • • • > 
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a. M 


and _ _ 

P^r (X^ G » . » . , X^_ ^ G t = Aj) if S,j p R^ 

0 otherwise , 

/ j 

by applying the equation for k = Jl. Z ' 

When we iteratively compute the matrix product, beginningt.from 
the left, then the first two terms become 


where 


^2 ~ -A,K(£) c 1 ] 

■ J D^+1 




c . = a, k, . w 


/ 


t 

i 


\ 

I 

I, 

t 


/ 


JlicR 


I ^^r(X^ G R^,...,X^_^ G = ili). 



,Pr(X G (£+l)j|X G Jli,X E UR. , . ,X.X. e UR, ) 

■I ^Si-1 ^1 ^ 

Pr(X, gUR, ,...,X EUR. T,X. e Jli ,X^ £ . (il+1) j ) 

tf i t^_^ Z-1 t^ t^ 


Z 

£ieR, 


= Pr(X^ G UR^,...,X^ e UR^,X^ g (Z+l)j) . £ 

1 Sj sl 

I The next partial product is the result of multiplying A- by 

» 

the transition matrix P(jl+1) which yields; _ h 

At ~ A 2 (P (^■*’1) ~ [d, , . , . , d • , , , , , d, ] . . 

b, 

" i-1 
^^, + 1 

I c- Pr(X. e (l+l)j|X. E (Jl+l)i) . 
i=l 1+1 


where 


A+l 

d. = Z c.P. . C^-+l) 
111 
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Since Xg is strongly lumpable with respect to the lumping 
relation s, 


l+l 


Pr(X = CA+l)j|X = q) 


is the same for every q e (5-+l}i. Let p denote this common 
probability and consider the events 


A = X. e (iL + l)j 
^£ + 1 


B = X 


. e (S< + l)i, X. E UR, X e UR, 

^i+1 -a ■ ^ ^1 ^ 


C = X e (il + l)i . 

Then, since B £ C, there is a subset R of the lumped state (£+l)i 
such that 

B = X^ e R . 


Accordingly , 


Pr(AlB) = 


Pr CAB) 
Pr CB) 


where 


PrCAB} = I Pr(A|X = q)Pr(X = q) . 
qeR 


Since Pr(A|X. = q) = p for all q e R, 
Z 


Z P»Pr(X. 

^ q) 

qeR ^Z 


p . Z Pr(X. 

^ ^ n 

= q) 


qeR 
p-Pr(B) . 
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Ac-cordingly 


p-Pr(B) 

Pr(AlB) = = p 


In particular, when B = C 


Pr (B) 


Pr(A|C) = p 


and, hence 


In other words, 


Pr(A|C) = Pr(A|B) . 


Pr(X E (£ + l)jlX £ (£ + l)i) = PrCX. e (Jl+l)jlX. e (il + l)i, 

X. E UR. , . , . , X. E URJ . 

X 

Strong lumpability therefore allo^^rs us to forget the past 
history when determining the intraphase transition probabilities. 
Accordingly, by replacing Pr (A] C) with PrCAjB) in d^ , 

^£ + 1 

d. = Z Pr(X. e C^^ + l)i,X. e UR., . . . ,X. e UR,) 

J i=l ^ ^ 

Pr(X. E (X^l)jlX. E (£+l)i,X. e UR,, ...,X, eURJ 

^£+1 ^£ ^£ ■ ^1 

^£+1 

= Z Pr(X. e (£+l)j,X. e (£+l)i,X. e UR, , . . . ,X. e UR,) 

i = l ^£+1 ^£ ^£ ^ >1 ^ 


= Pr(X. EC£+l)j,X. £ UR,, ...,X, E UR, ) 

^£+1 ^£ ^ ^1 

= Pr(X^ E R^jX^ G R2, ...,Xj^ G Rj^,X^^^ = (£+l)j) . 

The product is completed by multiplying A^ by the characteristic 
vector F(£+l) of the final phase, that is. 
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1 ( 0 ) 


n P(m)G(m)K(m) 
m=l 


P(J2,+ 1)F(S,+ 1) 


= A3F(£+1) 


(il + l)j6R ^ ^l’^2 ^ ^2* • • »^il ^ + l ^ 


= Pr(X^ e Rj,X 2 e R 2 » *••’^£+1 ^ * 

Thus, equation 3.4.6 holds for all i?, < k, which completes the 
proof of Lemma 1. 

Note that in proving the lemma, we did not use the assumption 
that Xg is strongly lumpable \'/ith respect to and hence we can 
relax the hypothesis and require only that Xg be strongly lumpable 
with respect to 5^, m = 2,3,...,k. However, in order to simplify 
the calculation of the transition probability matrix P(l) associated 
with the first phase, it is convenient to assume that Xg is strongly 
lumpable for all phases. This remark applies as well to the 
subsequent results concerning the evaluation of Pr(V). 

Although Lemma 1 provides us with relatively unrestricted • 
closed form formulation of Pr(V), its disadvantages derive from 
the fact that the K(m) matrices may be difficult to obtain in 
practical applications. In particular, K(m) will generally depend 
on V as well as Xg and, moreover, will generally depend on the 
history of Xg prior to phase m. The latter objection disappears 
when the lumping relations are such that 

Pr(X,. e (m+l)j[X. emi,X. e UR^ ,,...,X. e UR, ) = 

- m S-l ^1 -- 

Pr(X. e Cm+l)j lx. e mi) (3.4.7) 

for all (m+l)j e and mi e 
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Recalling the definitions of K(m) and H(m), the preceding condi- 
tion is just the condition which guarantees that K(m) = H(m). 
Accordingly, we obtain the following specialization of Lemma 1. 
Theorem 2 ; If Tg is strongly lumped, V = ^ ^2 ^ ^ 

equation (3.4.7) holds for m = l,2,...,k-l, then 


Pr(V) = 1(0) 


k-1 

n P(m)G(m)H(m) 
m=l 


P(k)F(k) . 


(3.4.8) 


Since equation (3.4.7) depends on the specific nature of the 
Cartesian set V, for a fixed strongly lumped model Xg, the hypoth- 
esis of Theorem 2 may hold for certain trajectory sets V but not 
for others. Accordingly, we have sought to identify even stronger 
conditions under which equation 3.4.8 will hold for arbitrary 
Cartesian trajectory sets. 

Lemma 2 : is strongly lumped then equation 3.4.7 holds for 


Cartesian 

sets V and 

for 

all phases 

m, if and 

Pr(X e 


X^ E 

: mi^,X. 
m t , 

E (m-l)i„ 
m- 


m 

m-1 


= Pr 



1 X. e mi^ 
' t m 



m 


m 

all m = 1 j 

>2,. . , ,k“l. 

and 

for all (m+ 



(3.4 


"m 


Proof ; Suppose equation 3.4.7 holds for all Cartesian sets 
k 

V = X Ri , then by taking Rj|^ to be the singleton set {£1^}, 
i=l 

Jl = 1,2,., . ,m+l , 

Pr(X e: Cmn)Vi|X^ e rnl^.X^ e (m-1) ,X. e lij) 

m m m-1 1 

= PrCXj e • 


m 
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Conversely, when equation 3.4.9 holds for every e Q., 
a = 1 , 2 , . . . ,m+l , then 

Pr(X^ e (m+l)j|X^ e e UR e UR,) 

m m m-1 ^ 


L ^ (in-»-l)jlX e nii e (m-l)i 

Ai^eR^ ''m ^ ^m-1 ^ ^ 

Z=l,...,m 


Pr(X 

X e li ). 

^ Pr(X 


t ^ 1 > * • * ^ li-i ) 

t ^ 1 ’ * * * » ^ 

^m-1 ^ ^ i 


= Pr(X^ e (m+l)j |X^ e mi) • 


m 


m 
Pr(X 


. e (m - 1 ) ijj. _ -I »«»«»X. e li,) 

S-1 JJJJ; ^1 ^ 

T ^ ^^m-l» ‘ * * *^t, ^ 

£=l,...,m ^ 


= Pr(X^ e (m+i)j!x^ e mi)* 1 = Pr(X e (m+l)j|X e mi) 
m m ^m ■ m 

which shows equation 3.4.7. 

Combining Lemma 2 with Theorem 2, we obtain the following 
result : 

Theorem 3 : If Xg is strongly lumped and equation 3.4.9 holds for 

each phase m, m=l,...,k-l, then for any Cartesian trajectory set V 


Fr(V) = 1(0) 


k-1 

n P(m)G(m)H(m) 
m=l 


P(k)F(k) . 



Under the conditions of Theorem 3, we observe that Xg is a 
Markov process (but not necessarily stationary). This can be 
demonstrated as follows. 



Pr(X„,l = (m.l)jlx^ = = 1^1^ 


=■ Pr(X, e Cra+l)j|Xj e nii^.X e (m-l)i , ,...X e li.) 
m+1 m ‘'m- 1 




Pr(X E Cm+l)j|X,. E (m+l)i,X. e mi , . . . 
T/ , T L L_, in 


X G 111)* e (m+l)i|X g mi ,...,X g li,) 


E Pr(X e (m+l)j|X g (m+l)i) 

(m+l)iGQjj^^^ S +1 


*Pr(X^ G (m+l)i|X^ g nii^^) 


= Pr(X . c (m+l)jlX G mi ) 
m+1 m 

= Pr(X„^, = (m+l^Mx„ = mi ) 

'• m+1 ^ m m*^ 

Hence, Xg satisfies the Markov property. . 

Moreover, if we extend the definition of the interphase 
transition matrices so that H(0) is the identity matrix, i.e.. 


where 


H(0) = [h.. (0)] 


1 if i=j 

h. . (0) = ] 

0 otherwise. 


__ • 
then the transition probabilities of Xg associated with phase m 

can be expressed as a matrix 


PCm) = (PijCm)) 


where 
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Pij (ni) 


Pr(Xm = mj |X^_^ = (m-1)) 

e (m-l)i) 


= Pr (X . 0 mj I X 


Z Pr(X 0 mj|X 0 m£)»Pr(X 0 mA[X eCm-l)i) 

m?,0Q^ ^m-1 ^m-1 . ^m-1 


= Z . 

^ " 1 


Accordingly , 


P(m) = HCm-l)PCm) 


and equation 3.4.8 can be represented in a more convenient form; 


Fr(V) =1(0} 


k-1 

n P(in)GCm) 
m=l 


P(k)F(k) 


(3.4.10) 


Since (m) generally depends on the observation time t^^^ even 
when Xn is stationary, the transition probabilities p . . (m) may 

D ij 

not be the same for different phases. Hence Xg is- a time varying 
Markov process. 

Although Theorem 3 provides us with a formula for evaluating 

the probability of an arbitrary Cartesian trajectory set V, it has 

the disadvantage that equation 3.4.9 has to be verified with 

respect to all possible sequences of lumped states X^ e mi where 

m i 

mij^ e Qjjj, m = 1,2 ,. . . ,k. Thus in order to further simplify the 
computation, we have identified the following stronger condition. 

By applying arguments similar to the proof of Lemma 1, we 
show that equation 3.4.9 holds when the probabilities 

Pr(X e = q) 

m m 

are the same for all q e Hence, we obtain the following 


important result. 
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Theorem 4 ; If Xg is strongly lumped and for all m e {1,2, . . . ,m-l} , 
(in+l)j e Qj^+ 2* ^rid mi e the probabilities 

Pr(X e (m+Oi |X - q) 

^m ‘'m 

are the same for all q e mi, then 


Pr(V) = 1(0) 


k-1 

n 

m=l 


P (m) G (m)H(m) 


P(k)F(k) 


for all Cartesian trajectory sets V. 

Theorems 2-4 tell us, under successively more stringent 
conditions, how the probability of a Cartesian set V may be 
iteratively computed from knowledge of the intraphase processes 
(the P matrices), the interphase transitions (the K or H matrices), 
and the set V (the G and F matrices). Under the conditions of 
Theorem 4, the P and H matrices are relatively easy to obtain. 

Under the weaker conditions of Theorem 3, it appears difficult 
to determine whether these conditions are indeed satisfied, 
although we have not as yet had enough experience with such 
calculations to judge the extent of the difficulty. A similar 
comment applies to the even weaker conditions of Theorem 2. 

However, we do believe that the theory developed above demonstrates 
the feasibility of "Michigan lumping*', i.e., lumping a phased 
modelL according to the computational requirements of each phase 
as opposed to "homogeneous lumping" which uses the same lumping 
relation throughout the utilization interval. 

During the next reporting period we intend to more fully 
explore the practical implications of these lumping methods by 
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experimenting with various types of base models and various types 
of Cartesian sets. We also wish to explore weaker types of 
lumping which result in nonequivalent models, but where the 
performability of the lumped model closely approximates that 
of the unlumped model. 
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3 , 5 Hierarchical Modeling of an Air Transport Mission 

Several prototype air transport models have been examined 
in the course of the present reporting period. Below we report 
in detail on one such model. This is a comprehensive example 
and should serve to illustrate some of the concepts discussed 
in the previous sections. In particular, the uses of capability 
functions (Section 3.2.2), partial capability functions (Section 
3.3.1) and interlevel translations (Section 3.3.1) are demon- 
strated, while state spaces, utilization periods, trajectory 
spaces and trajectories (Section 3.1.1) are explicitly shown. 

In addition, the evaluation of performability is exhibited. 

This section is organized as follows. First, some notational 
conventions are set forth (Section 3.5.1).- Then, starting from 
an informal general description (or concept) of a specific air 
transport mission, an accomplishment set is defined in Section 
3.5.2. The particular mission is an extension of the mission 
discussed in the second Semi-Annual Status Report [2]. With 
some broad assumptions concerning the aircraft, the upper 
level models of a model hierarchy were constructed. Section 
3.3.3 describes the resulting models. This part of the hier-| 
archv consists of three levels — the mission level, the aircraft 
task level, and the computational task level. (A fourth level, 
the computational hardware level, will be discussed later.) 

Some of the techniques used to characterize the models at the 
upper levels have been delineated in the first two Semi-Annual 
Status Reports [1-2] . However, in the presentation given in 
this report, i n t e r level translations have been introduced. 
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Other defining quantities such as state spaces have been 
explicitly stated, and the overall discussion has been formal- 
ized. 

Next, Section 3.5.4 reports on a calculus being developed 
which uses the interlevel translations to determine the 
trajectory preimages of the capability function, i.e., 

(See Section 3.3.1.) With this calculus, the partial capability 
functions at each of the first three levels were derived. 

These are presented in Section 3,5.5. 

The final segment of Section 3.5 discusses the perform- 
ability evaluation (over the total system) of three computers. 

The three computers are different configurations of four 
modules of equal computational power, A computer hardware level 

f r 

model was constructed for each computer and placed in the 
hierarchy. Section 3.5.6 describes these models. Thus, a 

separate hierarchy was evolved for each computer. From these 

! 

hierarchies, three capability functions were determined, as 
repiorted in Section 3.5,7. The capability functions were then 
evaluated over several sets of utilization intervals and com- 
puter failure rates. Section 3.5.8 discusses METAPHOR, a software 
package being developed to aid in performability evaluation. 
Finally, METAPHOR is used. to evaluate the’ three computers. 

3.5.1. Notational Conventions 

Several conventions concerning notation used in this 
mission model have been adopted. These are presented here for 
convenience. 
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In Sections 3.1.1 and 3.3.1, important foundations were 
established for the trajectory spaces U and employed in the 
evaluation of the capability function. The existence of a 
probability space (fl, E, P) underlying the total system was 
postulated and the stochastic processes supporting the tra- 
jectory spaces were characterized. Recognition of these 
quantities is important, particularly to understand the stochastic 
nature of the models used and to differentiate between trajectories 
and the random processes which define them. 

In the discussion of this mission model, no explicit 
description of the probability space will be presented other 
than assigning probabilities to certain events. In 
particular, specific references to outcomes oi e will be ■ 
dropped except where necessary for definition purposes. This 
is a standard convention for random processes. Furthermore, 
the random process X^ underlying a trajectory space will not 
be expressly stated except again where necessary. Therefore a 
trajectory ueU^ implicitly refers to a random process X^ evaluated 
at some sample meSl such that X^(oj)=u. (See Section 3.1.1.) 

For this treatment then, a composite trajectory at level i 

is a function u^:T^ -+ Q^, where u^(t) = X^ = X^ (m) for some 
(oeQ, T^ is the i ‘ level composite utilization period while 
is the i^^ level composite state space. The i^^ level composite 
trajectory space is the set = {u^ ^ Imefl}. In addition, 

u^:TJ ■> Q^, t’ ^b» ^b* uj are analogously defined 

for the basic process X^. The i level trajectory space is 

thus ® ^b ~ ^ ^^c CO * ^b 0 )^ ^ Section 3.1.2). 
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In this mission model, the random processes and 
generally delineate several system components , i.e., features 
such as hardware subsystems or behavioral functions which are 
identifiable and helpful in describing the system. As noted 
in Section 3.3. , and can be coordinatized ; the pro- 
jection of xj ^ (Xj on a particular coordinate is called 
a composite (basic) variable. For the trajectories used, two 

coordinates are employed. One coordinate is the particular 

/ : 

component being obseryed, while the other coordinate is the 

/ 

observat/ion time. 


Mo 4 

a column array: 


e precisely, a. trajectory u^ e is first written as 


u 


1 _ 


u 


u 


b J 


wnere is the composite trajectory and is the base 
trajectory, _ In case the number of observation times at 
level i is finite, expansion along the time coordinate 
yields the representation 


\ 


u" = 


I uJ(tj^) uj(t2) • • • Ub(tj^) 

where = {t^, t 2 » t^}. If the composite and basic com- 


ponents are respectively u;: , u_ , ..., u_ , and U|^ , 


u 


1 "m ^1_ 

Uu , then expansion along the component coordinate yields: 
P 


b2» 


- 77 - 



Thus along both coordinates, the expanded representation is: 


uj (t ) 

1 


• • • 

"j Ct„) 1 
1 ! 

uj (tj) 
2 

• 

• 

• • •' 

1 

“c (V I 

2 f 

1 

• 1 

• « 

• 

uj Ctp 

• 

• • «; 

i 

; 

! 

m 

in 


m 1 

1 



• • • 

uj Ct ) 1 

^ n 1 

• 

• 

• 

• • • 

• 

• 

uj Ctp 

"b (‘2^ 

• • • 

• 

“b (V 

P 

P 


p 
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A projection along a single time coordinate is referred to 
as a trajectory observation . Similarly, a projection along 
a single component will be called a component trajectory . 
For instance 

■ I 




m 






is a trajectory observation at time tj^, v\^hile 


u 


1 






.th 


1 

'c _ 

1 !_ 1 J 

is a component trajectory of the j composite component, 

’t'ln ‘♦•Vi 

The interval between the and (k+1)^ sample is called 
the (k+1)^^ , 


As an example to clarify this notation and illustrate 
its use, consider the following. Suppose, at hierarchy level* 

2, ja model with two composite components (flight control system 
(FCS) and navigation (NAV)) and a single basic component (air 
traffic control (ATC)) has been constructed. Suppose^ further that 
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the utilization period involves three samples T - {t^,, t 2 > 

To prevent the necessity of writing the level number with 
every variable of the model, the trajectory space at level 2 
is called Y, A trajectory in Y is denoted y, while 
a variable in y denoting the j composite component at the 

t* K 

observation time is written y^ . . Thus, a trajectory 


is represented by 


>"c t ^c t ^c t 

Ci,ti l’^3 • 


Yf. t t yet 

y = 2 »^1 2 ’^2 2 





t2 ’'^1. 

ATC 

L *T» 

*5 , • 

Then with 

the obvious correspondence c^=l, 

^2^^* bi~3, tj^~l. 

t 2 = 2 , and 

t^=3, we write 





>^11 

>^12 

>^13 ! 

PCS 


y = . ^21 

>^22 

>"23 

NAV 


; >^31 

^32 

>"33 . 
J 

ATC 

• 

Here the 

composite trajectory is 




y"c ^ 

>^11 

yi2 >'i3 

[ 



>^21 

yi2 ^23 

] 

i : 

while the 

basic trajectory 

is 




>^b = 

^■^31 

^32 ^33^ 

9 


where, for examnle, is the state of the navigation system 

^t the third observation 
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Finally a projection function = a^j^, where A is the 

matrix I^pq! (see Section 3 . 3 . 2 . 1), is frequently composed with 
an interlevel translation. This is done to extract the parti- 
cular portion of the function range which is of interest. As 
an illustration, consider the level i composite model having 




, u^ , 

m ’ 


m components 

uj = uj <»...« uj = (Cui 

1 m 

where the can be further coordinatized along time, (t, ) , 

i 

where t^^ e Ti. Using the projection function, (t^^) will be 

2 ^ 1 
written The interlevel translation from level i+1 to 


level i (assuming level i+1 exists) is 




U' 


and to select the function, mapping U^^^ ® into “ ^jk^c* 

we write 


,i+l ^ 


^jk"i+r 

. th 




’jk'c * 

We shall refer to + as the j component function at 

observation k. 
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3.5.2 Mission Description and Accomplishment Set 

We consider a basic air transport mission which can be 
characterized as follows: 

Mission Statement : "Transport passengers between two 

points safely, conveniently and with 
minimal fuel consumptions" 

The total system S = (C,E,P,L) is a flight control computer C 
operated in the environment E of a portal- to-portal flight of a 
commercial aircraft P within an airline L. Specifically, C is 
the object system, E is the environment system, P is the set of 
related systems, and L is the demand system. The user is in- 
terested in fuel efficiency, timeliness and safety; 
accordinglyj the mission statement entails three actions which 
must be monitored to judge mission performance. 

Mission Requirement Set 

i) A given safety rate is to be attained, 

ii) Inconveniences Cdiversions) are to be minimized, 

iii) Fuel consumption is to be minimized. 

Now we can specify a set of accomplishment levels 

A ~ { 3. Qf Q. 3. 2 > ^ i ^ 

where in general terms the following correspondences hold: 

= low fuel consumption, no diversion to an alternate 
landing site, and no fatalities, ; ' 

a^ = high fuel consumption, no diversion, and no fatalities, 

a^ = low fuel consumption, diversion, and no fatalities, 

= high fuel consumption, diversion, and no fatalities, 

a^ = fatal crash. 

The utilization period of the mission is taken to be 
T = [0,T]. To develop the model hierarchy, a top down approach 
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is used. Thus, the model at level i is generated and enlarged 
before the model at level i+1 (the next lower level) is 
developed. In the process of characterizing level i, 
we may not know which variables are to be expanded at level 
i+1 (i.e., which variables are composite) and which variables 
will not depend on lower level variables (i.e,, which variables 
are basic). Thus when variables are introduced no claim 
is made as to whether they are composite or 
basic. Only when the next lower level is construcied do we 
make such classifications. 

3.5.3. Higher Level Models 

This section develops the models used at the first three 
levels. These are the mission level, the- aircraft task level 
and the computational task level. The model description 
presented at each level consists of a set of random variables 
characterizing the system at that level, the state space, the 
sample time set and the trajectory set. In addition, an 
interlevel translation is defined at each level to connect 
that level with the next higher level. 

3.5.3. 1 Mission Level Nfodel Development 

Level n, the top level, describes those aspects of the 
total system performance that the user considers important. 

The model at this level thus characterizes the relevant factors 
deemed pertinent for a mission. In particular, the model must 
have a scope broad enough and a level of abstraction high 
enough to support the accomplishment level descriptions. 

For the given accomplishment levels then, an appropriate 
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scope for the top level is the air carrier, while a suitable 
abstraction level corresponds to the mission itself. We will 
therefore refer to tliis level as the "mission level.” After 
examining the verbal definitions of the accomplishment levels, 
the mission level can be formally represented by a single 
variable random process 1 - taking values in the state space 

Q° = {0,1}^ 

where the values Z = of Z are interpreted as follows: 

!■() if mission is fuel efficient 
‘-I otherwise, 

^ _ rO if mission is not diverted 

^2 ll otherwise, 

^ _ rO if mission is safe 

^3 ll otherwise (fatal crash). 

Since the model at this level is a single random variable, the 

trajectory space coincides with the state space, that is 

Z = U° = = {0,1}^ . 

We can now determine the interlevel translation between 
the mission level trajectory space Z and the accomplishment set 
A. Table 1 specifies kc^. Thus if vve know the value z of the mission 
variable Z, we know the mission's level of accomplishment. For \ 
example, employing the array representation scheme discussed in 
Section 3.5.1, the (degenerate) trajectory .V' 



says the mission resulted in low fuel Consumption, no diversion 
and no fatalities , and accordingly Kq(z) = a^^. 

/' 

J 
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3. 5. 3. 2 Aircraft Functional Task Level Model PeveloYJment 

The next lower jievel, level 1, is an intermediate level 
describing the performance of the aircraft with regard to the 
total system. For this level, the scope will thus be the air- 
craft, while the level of abstraction will be the functional 
tasks of the aircrafc. Level 1 will therefore be referred to as 
the "aircraft functional task level." 

To construct the aircraft functional task level, we must 
first determine an appropriate set of random processes ’xith 
which to describe the level. 

However, to select such a set, we must first examine the system 
properties we wish the processes to reflect. 

For this simple model, assume that we know the 
follo^ving characteristics about the aircraft in which the 
computer is to be used: 

a) For the missions in which the aircraft is utilized, 
the fuel capacity is such that if fuel consumption is 
high for more than half of the mission time, the air- 
craft runs out of fuel and crashes. 

b) The aircraft has an autoland system which, if working, 
will land the plane in any weather. If autoland is 
being used and fails, the aircraft crashes. 

c) The autoland system is used only in Category III 
weather . 

d) If at the initiation of landing, the fuel consumption 
has been high for any part of the mission, autoland 
will not be attempted. Instead, the aircraft will be 
diverted if Category III weather occurs. 
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e) If the aircraft crashes, fatalities will occur. 

At this time, we will not consider factors affecting the mission 
variables other than those mentioned above. In particular, we 
ignore those elements of the total system upon which the 
computer has no effect. Then from the above specifications, 
we can write the following conditions for the mission variables 
Z: 


\ 


I 


0 if fuel tegulation works for the entire 
mission 

1 otherwise, 

1 if weather is bad at initiation of landing and 
autoland is not available 


[O otherwise. 


/ 


1 if either 

a) fuel regulation works for less than half 
of the mission time 

or b) weather is bad at initiation of landing, 
and autoland is available at that time 
but fails during landing 

0 otherwise. 


To characterize the aircraft level, we will utilize a random 

process with two variables, Y= {X^ , X^} , where Tj^ is the time 

L 

at which landing is initiated. The state space is 


Q-^ = {0,1, 2, 3 , 4 , 5 , 6 , 7 } x {o,l} 


where the values Y = (y^ ,72) of Yhave the following meanings: 
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y- 


0 if fuel regulat 
autoland ava 
if fuel reoulat 
autpland not 
if fuel regulat 


1 

i 2 

J 3 

4 


6 

7 


0 


if fuel regulat 

if fuel regulat 
autoland sue 
if fuel regulat 
autoland not 
if fuel regulat 
if fuel regulat 


ion works for 
ilable at end 
ion works enti 
. available ^at 
ion works for 

ion works for 

ion works for 
ces sful 
ion works for 
successful 
ion fails, but 
ion fails and 


entire phase and 
of cruise 
re phase but 
end of cruise 
time Tj^/2 < t < 

time t < Tj^/2 
entire phase, and 

entire phase, but 

autoland successful 
autoland fails. 


y? = 


if non-Category HI weather at end of cruise 
otherwise. 


With the array representation of Section 3.5.1, a trajectory yeY 
will be written in the form 


y = 


^11 ^izl Control 


^21 ^22-i Weather 


0 

t/) 

•H 

3 

fH 

U kJ 
E~< 
4-1 II 
4h +-> 
O 
0 

ni 


be 

C 

•H 

n II 
+-• 
nJ 


where y^ = Cyj]^>y]^2^ the variables denoting the control 

systems of the aircraft (i.e., fuel regulation and autoland) 
and Y 2 ~ 21*^22^ variables denoting weather the mission 

encounters . 

To be logically consistent with the requirements of the 
mission variables Z noted above, we can restrict the values that 
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the y. . can take on. Thus, 

Xll ^ {0,1,2, 3} 

y^2 ^ (4, 5, 6, 7} 

y22 E (0,1} 

y 22 “ ^ (i*e., the fictious state, 

see Section 3. . ) . 


That is, y^^^ and y ^2 describe the control performance of the 
aircraft in terms of the plane's fuel regulation and autoland 
performance. The variable y 2 ^ samples the weather at the end 
of the cruise phase. Since we are unconcerned with the weather 
during the landing phase, the variable y 22 is assigned the 
trivial state The aircraft trajectory. space is hence 
Y = = (0,1, 2, 3} ^ {4,5,6,7> x {o,l} . 

With the above definition of Y, we are now able to state 
the interlevel translation function between the aircraft task 
level and the mission level, i.e., k,:Y -)■ Z . Because each 
component of Z is decomposed within level 1, Z = and so 

each component at level 0 is composite. Thus, maps into Z, 
that is, k^:Y -> Z. Now can be broken into its component functions 


Cf^i :Y 

C3Ki:Y> C 3 Z. 


Then by matching the definitions of the y^^'s with the defini 
tions of Z 2 * and the following functions are obtained: 
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rO if y^^£{0,l} and 
|_1 otherwise 
ri if y^^ed, 2 , 3}and 

} r\ ^ f • 


t.0 otherwise 


r 


1 if either 


£{4,5} 
= 1 


?3<i(y) =1 

0 


a) 

711=3 

or (Y 2 i~^ 

7l2eC6. 

7)) 

or b) 

7ll=0 

and y 2 2^'(^5 ,7 } 

and y 2 \ 

= 1 

otherwise . 





Note that we make two pessimistic and simplifying assumptions 
regarding First, if the fuel regulation works for less 

than half of the takeof f/cruise phase (hence y^^ = 3), then we 
assume that the fuel regulation works for less than half of the 
mission (hence C 2 ^K|^(y) = 1) . This assumption is justified if 
Pr (fuel regulation works for t < Tj^/2 
during [0 ,T^] ) 

Pr (fuel regulation works for t < T/2 
during [0 ,T] ) . 

Some basis for this claim lies in the fact that the takeoff/ 
cruise phase is usually significantly longer than the landing 
phase, that is, >> T-T^^. 

The second assumption is that if the fuel regulation fails 
at all during the takeof f/cruise phase and then fails at all 
during the landing phase, then the fuel regulation fails for at 
least half of the mission. In other words , if y^^cf 2 , 3} and 
then ? 2 Kj^(y) = 1. 



Both assumptions are pessimistic in that some non-fatal 
missions will be associated with fatalities (Z 2 =l) . These 
assumptions must be made because the resolution of the aircraft 
function variables does not allow the exact determination of 
the time that the fuel regulation works. Such a determination 
could be made by simply modifying the aircraft function variables 
to have one variable monitor the autoland and a second variable 
Ccontinuous, ranging over [0,TJ3 keep track of the time the fuel 
regulation works. However, for this illustrative example, we 
adopt the simpler view. 

3 . 5 . 3 . 3 Computational Task Level Model Development 

In continuing the decomposition of the mission and the 
corresponding development of the hierarchy^ we must next describe 
the variables composing the aircraft functions described in the 
previous section. Because we wish to evaluate the computer's 
effectiveness, we ignore non-computer related components. Thus, 
the scope of this level will be the computer while the level of 
abstraction will be the functional tasks of the computer. Hence 
level 2 will be called the "computational task level." 

For this mission, we assume that the aircraft tasks fuel 
regulation and autoland each has a computational task: fuel regu- 
lation computations and autoland computations. Furthermore, we 
assume that in order for the aircraft task to be successful, its 
corresponding computational task must also be successful. If, 
for example , not all of the autoland computations are done , then 
the autoland task is not achieved, and so autoland can not be 



f 
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performed. The weather variable at the aircraft functional task 
level (721 ^22^ computer support and therefore is a 

basic variable. 

The computational task level can be described by a three var- 

2 2 2 

iable random process X = (X^ , X,p y X^} , where Tj^ is an observa- 

H L 

tion time halfway between 0 and Tj^ , that is, T^^ = 


state space is 


Q = {0,1} 


where the values x = (Xj^,X 2 ) of X have the following interpreta- 


tions : 


_ _ 0 if fuel regulation computations are successful 
^1 ” [1 otherwise, 

Jo if autoland computations are successful 
^2” 1 otherwise. 

In the representation of Section 3.5.1, a trajectory xeX will 


be written as 


x^^ x ^2 ^X3 regulation computations 

^21 ^22 ^23 Autoland computations 


Takeoff/cruise Landing 


where x^ ~ ^^11»^12’^13^ variables representing the fuel 

regulation computations while X 2 “ C^21*^22»^23^ are variables 
representing the autoland computations. 

The observations x^j are made as follows: 


fn 

[^12 


\ -^2 3 

I (, 2 3 



First half of Second half of 

Takeoff /Cruise Takeoff /Cruise 


Landing 
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Because success or failure of the autoland computations at the 
halfway point of the cruise phase, cannot affect the availability 

I / 

of the computations at the end of 1 th^i cruise phase, the variable 
is assigned , the fictitio’^s i state . All other variables can 

t ' 

be either 0 or 1 . Thus, the compuitational level trajectory space 
2 5 ' 

isX = U ={ 0 , 1 }. All computat itpnal tasks are assumed success- 

I 

1 

ful at the beginning of the missiori (t = 0 }. Also, knowledge of 

\ 

the system's behavior at the observ|ations T^j, and T is assumed 
to yield sufficient information to ’infer the values of the level 1 

r 

1 

variables. 


With the above assumptions, we *can then construct the 
relation between X and Y; 1 


K , : X Y 1 
2 c I 


by first constructing: 


and 


^11 1 

! 

^12‘^2'^ ^12 I 


Thus , 


?lliC2Cx) = 


0 if ~ Xj2 X 22 i= 0 

! 

I 

1 if = 0 an'jd X29 = 1 

2 if ^ ^12*’ ~ 

1 

= 0 and 

1 ■ ■ 

[i.e., if = 1, where « 

denotes the ''exclusive or" operation] 


3 if X 


11 


X12 1 


and 
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4 if X 

5 if X 

6 if X 
^ if X 


13 

13 " 
13 " 
13 " 


0 and x «7 = 1 

2 3 

1 and X 22 = 0 
1 and X 2 2 = 1. 


3.5.4 A Calculus of Trajectory Sets 

Although a fourth level (the bottom computer hardware and 
software level) has yet to be discussed, it is convenient at 
this time to introduce a calculus being developed which is of 
great use in determining the y-induced trajectory sets, i.e., 

Y This calculus will be used to simplify the upper level 

movic'ls of the hierarchy before any lower level models are 
examined. Also, the calculus is used to assimilate lower 
levels as they are developed. After the lowest level of the 
hierarchy has been operated upon, the result is y Deriva- 
tion of y ^ is important because, using the techniques of 
Section 3.4.2 on performability calculations for the 

system can then be effected. 

The calculus presented here is part of an ongoing effort 
to produce general tools for performability evaluation. 

Although the description in this section is oriented to this 
particular mission model, the technique is generalizable. 

Section 3. 5. 4.1 below furnishes an algorithm (based on the given 
mission model; see Section 3. 3.1 for the general case) for 
extracting y^, while Section 3.5.4. 2 gives the actual tra- 
jectory set calculus in terms of a representation for trajectory 
sets and some basic operations on those sets. 
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3. 5. 4.1 An Algorithm for Determining y 

An immediate goal within this mission model discussion is 
a characterization of the capability function 

y: W X X X A 

where W is the fourth level trajectory space to be described in 
Section 3.5.6. From y, we then determine the preimage sets of 
y (i.e., the ''y-induced trajectory sets"). That is, we wish to 
find y ^(a) = {u|y(u) = a and u c W x x x Zj^, i.e., u is 

a mission trajectory} for all a e A. Then using the techniques 
outlined in Section 3.4, we can determine the probability distri- 
bution of the accomplishment set for the mission, that is, the 
Derformabilitv: 

Pg (a) = Pr C{u| y (u) = a}) - Pr(.y‘^(a)) 
for all a e A. 

Below is an algorithm for determining y~^. Based on the 
discussion in Section 3. 3 .1 ,. the algorithm constructs y "^ itera- 


tively employing partial capability functions and ihterlevel 
translations. The symbol V denotes "for all." 

1) Find y (a) = { (z ) [ yQ (z) = a} V a e A. Since Yq = 
this is equivalent to finding Kg^(a) V a e A. 

2) Find y“^ (a) = { (y , 25 ) i Y (y » Z],) = a) V a e A. This is 


achieved by finding K each z = 
this hierarchy, Zj^ is empty^ then 2 ^ - z and so we need to find a 


c ! -1 > V „ . . 

z~~l ^ ^1 (a) .Since in 


_ b j 


-1 


-1 


(z) V 2 e Z. Once iC 2 ^ is known, 


yy Ca) = iXy,z0 yi ^ a} 


- { CKy ( z )| Yq (z) = a} . 


3) Find y^^ (a) = .{■(x,y^,Z|^)l y 2 Cx,y|^,Z|^) = a) V a e A. Here, 


-1 


we must find (y^) for each y = 


r 

. ^b . 


-1 


e y^ (a)* Then 
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Y 2 ^(a) = ^2 

“ ^ (*^2 * ^b ^ ^ ^1 ^ ^ ^ = a } . 

4 ) Find Y ^(a) = Y 3 ^Ca) = Uw ,x^,y^. 2^)1 Y 3 (w,x^ z^) = a} 

V a e A. Similar to the method in step 5, determine kI^(x ) for 

r 1 -1 

each X = ['x'"J ^ ^2 this, 

Y'ha) = Y'ha) 

- {( w , x ^, y ^. z ^)| Y3 ( w , x ^, yyZj ^) = a ) 

= { ( xj ^ CXj .) , Xb , yj , > IY2 ( x , yj , ) - a }. 


Note that since k^:U" 


i + 1 

, then both the domain and range 


of K| can be represented by arrays as discussed in Section 3.5.1. 

i i + 1 

the component functions exist and are 

J K 1 J K C 

identifiable. Now the k. inverse of v c k7^(v), is 

simply the set of all trajectories u e such that <^(u) = v. 
Furthermore, it is plain to see that for u to map into v, each 
component function must map into the corresponding 

component That is, 

K^(u) = V if and only if = ^jk^* 

for all proper j and k. 

Thus, the inverse of v must be the intersection of all the 
inverses of Hence , 


ihv) = Obk’^ihv). 


j 


For instance, if 


I;-: ./■ . . ' u - ■ ' 

1 C. (u) 

= V 

■ 1 '- 

a 

a 

r . ' 

:7'-yV' 

a 

b 


b 

a 

'•.b:.' 

iY , ■ , ■ ■ A 

b 

b 


Also , 
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then 


and so 


^1^ 





J^(v) 

a 

(1, 2} 



a 

1 

3} 

b 

{3, 4} 



i 

b j 

1 {2, 

4} 

V j 


nc? 

2< 

i3'iv) = 


V) 

t 

a a 1 
1 
1 

U, 2} 

n 

{1 

, 3} = 

= 1 


-i 

(1, 2} 

n 

{2 

, 4} = 

= 2 


! 

b a I 

{3, 4} 

n 

(1 

.3} = 

= 3 


1 

b b 

{3,4} 

n 

{2 

, 4} = 

= 4 



The next section introduces some methods examined during 
the reporting period which facilitate writing these preimage sets 

3 . 5 . 4 . 2 Trajectory Sets, Array Products, a.nd Intersections 

Manipulation of sets of trajectories is necessary to derive 
the preimage sets of y* However, handling such sets can be 
aivkward because of their size. Therefore, we have been investi- 
gating techniques of operating with sets of trajectories in a 
convenient and compact manner. This section reports on the 
most promising calculus investigated. 

A set of trajectories will be called a trajectory set . We 
first introduce a simple representation of a trajectory set. 
Consider the trajectory 


U “ 


u 


11 


u 


In 


u 


ml 


u 


mn 


where each u-. can assume values in a set of states Qr*. 
is a '’variable.” For example, we may have 


Bach 


where e {1,2,3}, ^ {0,2,4}, V 2 i ^ {-1,-2}, and y^, e 

{a,b,c}. Suppose we have two trajectories and U 2 such that 
Uj and U 2 are equal yariable -by- variable except for a single 
variable. That is 


^2 


In 


mn . 


where u.. ^ u^ .. We then write the trajectory set {u^^, U 2 } as 

' fr . 1 r • 


{uj^,U2> = 


‘11 • 


ml ••• ^mn 


. K 




'“in' 


= ... {uj., ur.} ... 

• •• ^“mn^ ; 

L J 

This representation is called an array product . Note that 


the concept is similar to that of a cross product. Of course, 
the idea can be generalized: *s 
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As an illustration, suppose that 

r ^ 


1 1 \ 







then 


{yi»y2»y3.y4> 


{ 1 , 3 } { 2 } 1 

{ - 2 } { a , b }j 


Because the use array products has been so widespread 
in our work with trajectory sets, we have adopted the simplifying 
convention of writing array product elements which are singleton 
sets as elements without set brackets. Thus 

{ 1 , 3 } 2 

_-2 {a,b}j . 


{y1.y2.y3. 74) 


No confusion should result since context will make clear whether 
an object is a array product {and hence a set) or a single 
trajectory. Furthermore, this convention makes array products 
easier to read by cutting down on the number of brackets that a 
reader must wade through. 

Often a single array product cannot by itself represent 
all the trajectories within a trajectory set. In that instance, 
the union of several array prbd.ucts must be employed to represent 
the trajectory set. Thus, for the general case, we write a tra- 
jectory set as the union of p array products, 
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{u, , . . . ,Up } = P, U ... Lf P 


R 


11 


L ml 


Si 


R 


Inl 


u . . . u 


R- 


= / 


i ! “ml 


mn 


i -( 
! 

In • 

. I 


1 I 
u t 
mn ■ 


rP rP 

11 • * * ‘Sn ' 


rp, ... rp 

ml mn 


i E {1, . . . , p}, 
“jk- ® '*jk '^jk 


1 


1 

J 


For example, in addition to , X2» ^3* 


r 


y.: = 


3 0 ■ 


U2 aj 


>^6 


3 0 


-2 bj . 


Then 


(yi.yz.yj.yA./s.ygJ = 


u 


3 0 I 

[{-2} {a,b}J . 


{1,3} 2 

_ - 2 {a,b}j 

In passing, note that this representation is not unique, e.g 
the set above can also be written 

1 


{yi,y2.y3.y4.y5.y6> = 


u 


1 2 

i 

[-2 (a,b}J . 


3 { 0 , 2 } 

-2 {a,b}_ 

A canonical form can be easily defined. For instance, an order- 
ing of the trajectories in the set can be made and used as a 


basis for constructing the array products. However, for the 
mission model example discussed in this report, a unique repre- 
sentation is not required and so will not be formalized. 

Two special sets should be mentioned. One is the empty set 
(or null set) d, the set containing no elements. The other is 
the full set (or uniA'^erse) * which represents the set containing 
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all elements "of interest.” For trajectory sets, this is the 
set of all possible states a variable can assume. For instance, 
if 


L -1 a j , 


then 


{Xi.yy) = 


2 i 
a 


Another frequently used item is the null array $. This is 
defined to be any array product which contains the empty set ^ 
as an element. As an instance, 

[{1,2} T 

^ = |. 

L * (a,b}J . 

We now define the operation of intersection on the class of 
array products. The intersection n of two array products and 
P 2 is the element-by-element intersection of the two arrays. Pj^ 
and P 2 must have the same dimensions. 




•*• ^In 

f 

“r2 

1 11 


Pj n = 


i. 

• • • « 

mn J 

n 

1 

1 . ■ ■ ! 

y 

_ ml • •• 

^mn. 


ah n ah 


1 2 


Rln " 


1 2 

mn mn 


The following table defines the element intersection R-j fl RT^ 
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<{> 

* 

i 


aiOaz 

a. 


<P 

<P 


4> 

* 

* 


<P 

* 


where a^^ and az are any sets and a-j^Haz is standard set inter- 
section. Thus 


{1,2} 4) ■ 

n 

{1,3} {0,2} 


h,2}n{l,3} 

4 >n{o, 2 }' 

_ * {a,b} 

_-2 i. 


*n -2 

{a,b}n^i ; 

J 


1 cf> 

;2 {a,b}_ 

, = $ . 

Array product intersection is distributive over set union. 
For instarice; 


{ 1 , 2 } 

A 


1 /k1,2} 0 


,n n ! u 

{a,b>! \ -2 {b,c}; 


{1,3} {0,2} 

-2 y 


n\ 


4- 

[{ 1 , 2 } 0 

{a,b}J 


! ^ 

I 


{1,2} (t> 

-2 b 


U 


{ 1 , 2 } 0 

[_-2 {b,c} 

1 . .: : . <t> ~ 

1-2 {a,b} 




/ 


I 

V 


y 


t u 

' \L 

\ 


J / 

J 


, 2 } ^ 

* {a,b}) 


, 

|{ 1,3} {0,2} 
- 2 i 
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The complement of an array product P is the set of all 
arrays not represented by. P. This can be found as follows: 

c 


P^ = 


R 


11 


R 


In 


R 


ml 


R. 


mnj 


Tr 

l''ll 

• • • ^ 



A 

Hn 

1 • 
1 • 
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• 

U ... 

U 

• 

• 

• 

• 

1 • 

• 


. 

• 

• 

* 

• • • ^ 

. 

■ 

• 


... * J 

* 

• . . * 

. . 


■ . 

'* 

• • • ^ 

• 


U . . • 

U 

• 

• 

• 

• 

■m 

• 



• 

• 

Ki 

. . . * 

. 

! 

1* 

L 

D ^ 

V‘* mn. 

k=Li 

Z=n 

Hi • 

•• %n 



• • 

U 

R 

... . . . 




k=l 






.1-1 

_ ml 

mn 

> 




fR.? if k=i. 

l=j 



i = ‘ 






ij 

* otherwise 



» 


U 


. U 


where 


^ij - ^ij * ^ij ^ ^ ^ij ^ ^ ^ij^* = <}>» 

(j)^ = * , and = ({) . 

To determine the complement of a trajectory set, De Morgan' 
Law could be used. Suppose V is a trajectory set composed of p 
array products , Then * 


= (Pj,U.. . U Pp)^ 

= p 5 n ... n p^ , 

1 p 


As an example. 
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We have found, however, that the evaluation of performability 


(Pr(Y”^(a))) is often simpler if the y- induced trajectory sets 
(y~^(a)) are represented as the union of disjoint sets. The set 
above, for instance, can be w'ritten 



Representing a trajectory set as a union of disjoint array products 
has analogies with representing a Boolean function in disjunctive: 
normal form. Thus, we see the possibility of generalizing Roth's 
cubical calculus (see [15] for instance) to handle sets other than 
0,1 and so manipulate ti¥jectory sets. However, we have not yet 
formalized these techniques-, and so they will not be discussed in 
depth within this report! During the next reporting period, we 
intend to continue this effort. -- 
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3.5.5 Higher Level Partial Capability Function Preimage Set s 

Using the techniques given in the previous sections, 
was derived. The following sections outline that process. We 
have found that simplifying the higher level models (by their 
partial capability function preimage sets) makes the insertion 
of several different bottom level models more wieldly. Thus , 
discussion of the bottom levels is postponed until Section 3.5.6. 

As a review, Figure 2 displays the hierarchical structure 
for the mission as defined thus far in the report. Figure 3 
summarizes the variables employed in those higher level models. 


3 . 5 . 5 . 1 Yq ~ I nduced Trajectory Sets 

From the definition of in Section 3. 5, 3.1, - Yq 

is immediately obtained. Table 2 gives the preimage sets. 
Note that each YQ~^(a) is expressed as an array product. 

3. 5. 5. 2 Yj- Iiiduced Trajectory Sets 

To determine we first reexamine From Section 

3. 5. 3. 2: 


^ 1*^1 = 


fo if y^j^ e {0,1} and yj ^2 ^ {4,5} 

1^1 otherwise 

i ({0,1} (4,5}' 

10 if y G 

Y I * - 

|l otherwise 
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• Mission Level 



Aircraft Functional Level 



Fi gure 2 


Mission variables defined in the upper levels 
of an air transport mission mpdel hierarchy. 




Computational Aircraft Func- Mission Level Accomplish- 

Task Level I tional Level ment Set 



Figure 3 

Variables employed in the higher 
levels of the model hierarchy. 
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if y e 


(y) 


= i 


10 


10 


if e {1,2,3} and 
otherwise 

{1,2,3} *' 

1 t 

otherwise , 

if either a) = 3 or (y^^^ = 2 and ^ {6,7}) 

or b) y^^ = 0 and y^^ = 1 and y^^2 ^ {5, 7} 
otherwise 


! 1 if ye 


1 


M 


t-'' 


'3 

I* 

otherwise. 


U 


{ 6 , 7}1 

i 

. I 


U 


0 {5,7}j 

U J 


The component inverses are: 


(Ci<i) ^ (Zj) 



if = 0 


(C2K1I ^(^ 2 ^ 





otherwise 


otherwise 


{ 5 , 7 } . 


if Zj = 1 


{ 5 , 7 } 2 {4,5} 

4: * 4 


otherwise 
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The derivations of ^( 0 )» U 3 Ki)”^( 1 ) 

follow immediately from the definitions of 

and respectively, while (C^k^)" ( 1 ), (£[ 2 *^ 1 )' CO), and 

(^ 2 Ki)“^( 0 ) were found by taking the complements of CC 2 K 2 )'^( 0 ), 
and 

Armed with the relations above, we can now state 

using 


Yj'^Ca) = {(Kj"-^(z) ,z)j YqCz) = a} 


-1 


Kj"^(z) = n (C 2 <i)’^(z 2 ) ^ CC 3 Ki)"^(z 3 ) 

As an example of the computations involved, consider 

... ■ 0 ,- ■ 

• z = ; 0 ^ 

o‘, . 


Then 


< 1 ^( 2 ) = n CC 2 <i)“^( 0 ) n (? 3 Kj)“^( 0 ) 


(Ko,l) { 4 , 5 } 


r\ ^ 


/ i 0 


in, ’ 


1 { 1 , 2 , 3 } 


u 


* j/ y_* 

0 { 4 , 6 ? fb {5, 7 }' 

* 


u 


-i 


0 


L 


0 4 
* ^ 


fo si 
U I I u 

: lp d 



So, since {z|Yq(z) ~ aQ} = 


-1 


fol 

0 i , then 

Loj 



'0 4 i 

’o i] 

1 {4 , 5)1 

=?'■ 

u 

u 

1 

1 


* d 

L? d 

0 <f J 


Table 3 displays the Yj preimage sets for all a e A, 



Table 3 
Preimages of 
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3 . 5 , 5 . 3 y 2 “ Induced Trajectory Sets 

The derivation of ^2 ^ is similar to that of Yj 
consider <2 from Section 3,5. 3.3: 


1 

1 

0 

if 

^11 

■ *12 ■ ’'22 ■ ° 



1 

if 

^11 

= Xj2 = 0 and X22 = 

1 


! 2 

i 

if 

Cxii 

= 1 and x ^2 “ 


i 


or 

(Xfi - 0 and Xj ^2 “ 

1) 

3 

if 

Xfi 

= ^12 



/ 




0 

0 

* 


0 

if 

X 

e 

A 

0 

* 






"0 

0 

*' 


1 

if 

X 

z 

J 

1 

* 






'1 

0 

*■ 

fo 1 

2 

if 

X 

z 




U i 





J 

* 

A 

J 

U * 





'1 

1 



3 

if 

X 

z 

A 

* 


, 




4 if Xi3 = XJ 3 = 0 

5 if - 0 and X 23 

6 if = 1 and X23 

7 if X33 = 1 and X23 




4 if X e 


5 if X e 


6 if X e 


* * 0 

<f: * 0 . 

* * o' 

i * 1. 

* * l' 

i * 0 . 


7 if X e 


'* * j 

i *.,.1 



First , 
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The inverses of ^17*^2 then be stated as below: 

if Xll = 0 


0 0 

^ 0 




12 


1 
1 


C c 1 2 2 ^ C y 1 9 ) 


12 


= < 


C 

[: 


0 

1 

0 

* 

1 

A 

A 

A 

A 

A 

A 

A 

A 

A 


if Xii = 1 


if 


if 


if 


if 


if 


>^11 


^12 


^12 


^12 


^12 


= 3 


= 4 


= 5 


= 6 


= 7 


if yil = 2 


From Section 3, 5. 4,1, we note that 

2 ^ y c L * ^ ^ 1 1 2 ^ ^ ^ 1 1^ ^ ^ 1 2 2 ^ ^^^12^ 


where Xq = Xu yi 2 ' example, 

■ ■ m m ' ... 


-1 


K2'*([0 4]) - (CjiK 2)‘1C0) n(Cj2'<25'^f‘'^ 


0 0 * 


n 


* * o' 


U 0 U * 0 
0 0 0" 
i 0 0 
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The inverse < 2 ~^ shown in Table 4. 

Next, we must determine 

Yz’^Ca) = {(K 2 "^Cyc)»yb)l ^l^y) = a} 


-1 


for all a e A, As an illustration, consider ^2 (aQ^ . From 
Table 3, 


Yi'^Can) 


ro 4 " 

To 5 " 


1 

c; 

U 

}* 

lb 4. 

L 


-f • 


-1 


Then for each in (ag) we find from Table 4: 


< 2 " ([0 4]) = 


fO 0 01 




-1 


2 C[0 5]) = 


<2 {4,5}]) = (5ii 

0 0 * 

1 *J \L 


0 0 : 
b 0 0] 

^ 0 ij, 

d1\ 


^0 0 O' 


0: 


* * 01 
ir * 11 


Hence , 


-1 


(an) = 




b 0 ol \ 

[x [0 >11 U 


0 1 ! 


1 


^ [0 4] 


where X denotes the Cartesian (cross) producti, evg. , 


Table 5 gives the complete relation Yo 
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L *1 

r \ 


0 0 0“ 
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0 

0 



0 0 0 





X [* 4] 


[04] 
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[1 4] 
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4 0 0 


0 

0 

■»’ ■ i 


4 0 0 

, : 
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V- 

/ 

1 

Vi. , . — 

1 * / 




fo 0 0 

Li 0 i_ 


G s !] 
G J fl 



Table 4 

Preimages of < 
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^U6 


3.5.6 Bottom Level Models 

■ I . 

To this point, wb Iiave presented the foundation for the 
effectiveness evaluation of various computers for a simple 
mission. We now introduce several computer models, 
and then using the techniques described in Sections 3.4. 2-3, 
determine their performabil ity . 

We emphasize that any computer model could now be placed 
in the hierarchy and evaluated for its performability in_^ the 
given mission, provided that a suitable translation 
is constructed. The computer models which illustrate this 
example analysis have been chosen because of their simplicity, 
thejir; diversity, and the fact that they are based on the same 
building blocks, r This latter quality makes comparison of 
various configurations easier. 

Three computers will be evaluated and compared. Each will 
be composed of four processor modules, where each module has 
processing power P (i.e., has> the ability to do P work units of 
usable computation per unit time). Also, each module fails 
independently with a Poisson distribution having a constant 
failure rate X (thus ,P tC a given module fails during an intervai 
of length T ) = 1 - e" ). We Assume eve^ module has sufficient 
internal checking so that a module can diagnose itself as failed. 
This could be accomplished for example if every module were com- 
pojsed of components in a triple module redundant (TMR) configur- 
ation. If a module fails, the P units of processing power 
associated with that module are lost. Finally, we make the 
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assumption that 2P units of processing power are required to 
perform fuel regulation computations during the take-off and 
cruise phases, IP unit is required to perform the fuel regu- 
lation computations during the landing phase,; while IP unit 
is needed for autoland checkout and preparation (i.e., avail- 
ability) during the last portion of the cruise phase, and 2P 
units of processing power are required to perform autoland 
computations during the landing phase. In summary: 

Phases 

(Take-off, first (Second part (Landing) 
part of cruise) of cruise) 

Fuel Regulat 

Vi Computations 

Vi ' 

w Autoland 

Computations 

Required Processing Power. 

The three computer models will be denoted: 

Dedicated Processor Model, 

• , S 2 Dedicated Group Processor "Model , 

Sj Gracefully Degrading Processor Model. 

7.n Sj, each of the four processors is dedicated at all times to 
a given task. S 2 configures the four processors into two groups ’ 
of two processors; these groups are then dedicated to a given 
task. Finally, allc's any processor to perform any task, with 
a priority 2 specifying the particular tasks to be done. 
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The following sections describe the models in detail and 
give the translations. Also* some model simplification via 

i ' ' 1 : 

lumping is performed and is reflected in the construction of 
appropriate interphase transition matrices (H»matri,ces) . 

The four processor modules are denoted Mj^, Vi 2 » Mj, and M^. 
The phases for the bottom level are the same as for the compu- 
tational task level, i.e., 

= {T^, T^, T}. 


3. 5.6.1 Dedicated Processor Model i : r 

i The first computer to be considered, oonslsts of four 
modules, each dedicated to a computational task: two for fuel 
regulation computations and two for autoland computations. 

During the take-off and cruise phases, the configuration is as 
follows : 

EUl 

vFuel regulation computations 

sj ' 

S, , Phases 1 and 2: " 

1 ■ r*— 1' ' L i 

Mj Autoland checkout and preparation 


Here, modulesM^ and M 2 


I I Inactive . 

are dedicated to fuel regulation compu- 


tations while module Mj is reserved for autoland availability 
activities. Module is inactive. The landing phase configur- 


ation is 


Phase 3 



Inactive 

Fuel regulation computations 
Autoland computations . 
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! 

In this phase, module is no longer needed and so is inactive. 

M 2 performs fuel regulation computations, while Mj and do 
the autoland computations. 

Because these modules are dedicated, there is no recon- 
figuration if one module should fail. Let us write the state 
of the system as the collection of unfailed modules and enclose 
the set with angle brackets. (This is done to prevent confusion with 
and ■*}" .) For example, if no modules are failed, then the 
system state is <M^, M 2 , Mj, M^>. The comptiter can then be 
represented during all phases as the Markov model denoted by 
the transition diagram in Figure 4. These states are for S^. 

I However, note that during phase 1, we are unconcerned with 
Mj and M^, during phase 2 we do not care about M^, and during 
phase 3 we are unconcerned with M^. Thus we can significantly 
reduce the state space of the model by not considering Mj or 
during phase 1, M^ during phase 2, or Mj^ during phase 3. Accordingly, 
the transition diagrams applicable during^^^ t^ three phases are 
shown in Figure 5. (See Section 3.4.3 on model simplification.) 

To account for the possible failures of modules not examined ' 
during some phase, two interphase transition matrices H(l) and 1 

H(2) must be constructed (see Section , 3. 4 . 3. ) Indeed, these are 
easily defined as follows. Since each module fails independently 
of the others, we need introduce only the probability that a 
module fails during the interval it is not observed. Let Tj^ and 
T 2 be the lengths of phases 1 and 2 respectively. Then the proba- 
bility that a module fails by the end of phase 1 given it was 
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i<Mi,M2> 


<Mi>0 






a) Phase 1 


<M. 



M3> 



Figure 5 


Reduced Markov model transition diagrams for S, for phases 1 2 
and 3, Each transition has transition rate A » * 
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good at the beginning of phase 1 is 1-e ^"^1. Similarly, l-e~^^2 
denotes the probability that a module fails by the end of phase 
2 and l-e~^^^^ ^^2^ is the probability that a module fails by 
the end of phase 2 given it was good at the beginning of phase 1* 
Thus , we can write H(l) and H(2) as shown in Figure 6, Note that 

H(l) is conditioned on initially being 'in state <M^ ,M 2 ,M^>. 

Each entry in the H matrix denotes the probability of 

transfering from some state in phase i (listed on the left hand 
side of the matrix) to some state in phase i + 1 (listed below 
the matrix). For example, we see that if is in state <M^,M 2 > 
at the end of phase 2, we then transfer to state <Mj,M^> with 
probability *^2) (i.e., with the probability that has not 

failed during phases 1 and 2) and to state <Mj> with probability 
l-e"^^^! ^ ^ 2 ) (i.e., with the probability, that has failed). 

Next we can specify the transition matrices P (1) , P (2) , 
and P(3) for each phase utilizing the transition diagrams in 
Figure 5. The P(i) appear in Figure 7. Again, each element of 
P(i) represents the probability of transfering from the state 
listed along the left hand column to the state listed below 
the bottom row during the phase. 

3. 5. 6, 2 Dedicated Group Processor Model 

For the second computer S 2 , we again have four modules, j 

and again connect them such that two are dedicated to fuel regu- 
lation computations and two are dedicated to autoland computations. 
However, within the two groups, if one processor fails, the 
second processor can take over the first processor's function 
if the second processor is inactive. Hence, during all phases 




Figure 6 

Interphaae Tranaltlon Matrices for the Dedicated Proceaaor Model 



'£ZI- 
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< 


the configuration looks as follows: 


! M, 

: i. 


1 


/Fuel regulation computations 




* 


dj] 


M, 


; Autoland checkout, preparation, and 
computations . ( 


If we again write the model's state as the set of unfailed 
modules, then the Markov model transition diagram for S 2 is the 
same as shown in Figure 4. However, once again during different 
phases we are unconcerned with various phases of the modules. 
Thus, during phase 1 we do not care about or M^, during 
phase 2 we are unconcerned with which of or is operational, 
while in phase 3 we are unconcerned with which of or M 2 is 

working. Hence, let us write the state of the model in phase 1 

, I i I 

as the member of fuel regulation modules working f, f c (0,1,2}. 


Also, the state of model in phases 2 and 3 will be written as the 
ordered pair Cf,a), where f c {0,1,2} is the number of working 
fuel regulation modules and a e {0,1,2} is the number of working 


autoland modules. The Markov diagrams for phases 1,2, and 3 
are shown in Figure 8. The model for phases 2 and 3 is not 
easily reducible since We must keep track of the number of 1 

rn ' ^ 

functioning units at allj times to determinOi when none are left. 

, ^ ■ ' -I. ' ^ ^ 1' ■” 

Beca^use the states of phase 2 and phase 3 are identical 
and no reconfiguration occurs between the phases, the interphase 
transition matrix H(2) is the 9 x 9 identity matrix. The inter- 
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0.^>2) 


X 


K- 


0 ^ 2 , 1 ) 

\ 
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■ .X 

\ 

( 0 , 1)0 


/ 


/ 


O (1.1) 



/ 


\ 


o\ l> 


X . 


\ 


/ 


, 0 ) 

b) Phases 2 and 3 


0 ( 1 . 0 ) 


^ U 


Figure 8 

Markov Model Transition Diagram for 


0 ( 2 . 0 ) 

/ 
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phase transition matrix between phases 1 and 2 must take into ' 
account the probabilities that one or both of the autoland 
modules have failed. H(l) is conditioned on being initially 
in state (2,2). Figure 9 shows H(l) and H(2). 

The transition matrices P(l) , P(2) and P(3) are given in Figure 10. 

3,5.6.,3 Gracefully Degrading Processor Model 

The third computer to be discussed, S^, is once more com- 
prised of 4 modules, but with no specific processor assignments. 

Any processor c^n perform any other processor's task. One ' 
processor will be used to help co-ordinate the other processors , 
and if necessary, can be used as a spare. The configuration 
during both phases is thus : 


Fuel regulation computations 
and 

Autoland checkout, preparation, 
and computations. 


The state of this system is then simply the number of pro- 
cessors working. Hence, tjie state ranges from 0 to 4. Figure 11 shows 
the general Markov model transition diagram for iSj. Q = {0,1, 2, 3,4}. 

Although the transition diagram could be reduced by examina- 
tion of the computer task requirements and by a proper choice of 
the interphase transition matrices, w;e choose not to dO that at 
this tiiiiis. Hence the model represented in Figure llwill be used 
uniformly in all three phases. Furthermore, since no hardware 


M 


1 ! 


M. 




M, 


M. 





H(1) 



( 2 , 2 ) ( 1 , 2 ) ( 2 , 1 ) ( 0 , 2 ) ( 1 , 1 ) ( 2 , 0 ) ( 0 , 1 ) ( 1 , 0 ) ( 0 , 0 ) 



( 2 . 2 ) ( 1 , 2 ) ( 2 , 1 ) ( 0 , 2 ) ( 1 , 1 ) ( 2 , 0 ) ( 0 , 1 ) ( 1 , 0 ) ( 0 , 0 ) 


Figure 9 

Interphese Transition Matrices for'the Dedicated Croup Processor 
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( 2 , 2 ) ( 1 , 2 ) 


P <J 

P^q" 

4p2g2 

«2„2 
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2pq^ 

: 0 

p^q 

2p2q 
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0 
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pq^ 
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q^ 
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2pq 
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0 

P^ 

0 

pq 
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0 

0 

P^ 

0 

0 

0 

0 

0 
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0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

(2,1) 

(0,2) 

(1.1) 

(2,0) 

(0,1) 

p^q 


4p2g^ 

„2„2 
p q 

2pq^ 
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p^q 

2p2q 
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2pq^ 
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p^q 

pq2 

o/ 
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q 

0 i 

0 

2pq 

0 

0 


0 

pq; 

0 

0 

0 

' p" 

0 

0 

0 

0 

0 

P 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

(2,1) 

(0,2) 

(1,1) 

(2,0) 

(0,1) 



( 1 , 0 ) ( 0 , 0 ) 


Figure 10 

Transition Matrices tor the Ccdicatrd Group Processor 
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Figure 11 

General Markov Model Transition 
Diagram for S^. 
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reconfiguration occurs between phases, the interphase transition 
matrices are the 5x5 identity matrix: 

n > 


H(l) = H(2) 







Also, the transition matrices PCI), P(2), and P(3) are the same 


and are shown in Figure 12 • 


For each state within each phase;, we establish a set of ' 

■ ' ' , i ■ ' I ' 

tasks, the task set, which will be pefformed; within that state, 

: I ■ 

This set is necessary to allocate the available processing re- 
sources to the highest priority computations that are achievable. 

• • • j , 

In particular, if a processor performing a highly important task 
fails, then a processor performing a less important task must assume 
the computations of the first, more important, task. Also, sit- 


uations could arise such that insufficient processing power may 
be available to perform high priprity tasks. In this case, lower 


priority tasks are then performed. 

Spepifying a set of tasks to be operating in each state 

resolves, these ’problems. In general, the set is based both on 

the number of processing iinits required to accomplish each task 

i . . 1„ J, . ,J ■ 

in the set as well a si on seme task cost function. For this 

example, ah appropriate cost function is based on a simple 

priority list for each phase. For phase 1,, the priority order- 


ing is;. 

1) Fuel regulation computations 

2) Coordination and spare. 



-Zil- 
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for phase 2 the list is 

1) Fuel regulation computations 

2) Autoland checkout and preparation 

3) Coordination and spare, 
and for phase 3 the ordering is 

1) Autoland computations 

2) Fuel regulation computations ; 

3) Coordination and spare. ■ : 4 

The earlier in the list a task is ndiried, the higher its priority. 
For a given state and phase, we choose the tasks to be 
performed according to the following algorithm. Starting with 
the highest priority task, each task is examined in turn. If 
enough resources are available to perform both the examined 
task and all previously chosen tasks, then the examined task is 
also chosen. Using this rule, the task sets for each state 
during each phase are shown in Table 6. 

3.S.7 Capability Function Preimage Sets ' 

We are now prepared to derive the capability function pre- 
image sets for each of the three bottom, computational hard- 

ware level models. First the inteflevel translations k_ between 

h - ■ ■■ ■ ■ V- , i 

the bottom level and the computational task level are detefmined. 

These are then combined with the preiinage sets of y? (Section . 

i'-,— ■ ■ - _2 " 

3. 5 . 5) using the algoi^itiim of Section 3 . 5 . 4.1 to arrive at y . 

Each of the three bottom levels will be repfesented by a 

three- variable random process w - (Xj » » taking values in 

H L 
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Phase 

State ! 

! Task Set 

1 

4 1 

i 

\ 

i Fuel regulation computations 
' Coordination and spare 


3 i 

i 

Fuel regulation computations 
Coordination and spare 


2 ; 

1 

Fuel regulation computations 


1 1 

1 None 


i 

0 ! 

1 1 
1 

1 ' ■ ' . 

1 None 

i 

2 

4 ! 

i 

1 

! 

i ' , ' 

Fuel regulation computations 
Autoland checkout and preparation 
! Coordination and spare 


3 : 

Fuel regulation computations 
Autoland checkout and preparation 


2 ! 

Fuel regulation computations 


I 1 

i Autoland checkout and preparation 

1 

I 0 ! 

1 1 

! None 

! ■ - 

- ^ : 

j 

j 

4 ' 

; Autoland computations 

Fuel regulation computations 
Coordination and spare 

■ 1 
1 

3 

i 

i ' ' 

Autoland computations 
j Fuel regulation computations 


2 

Autoland computations 


1 

Fuel regulation computations 


0 

None 



Table 6 


Task Sets for S^ by Phase and State. 
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the state spaces Q"^ described in the preceedine sections. The 
trajectory space for each model is 

3 5 3 3 

W = U = Q X Q X Q*^ , 

and in our array notation, a trajectory weW is written 

w = Wj] . ■ 

The interlevel translation can be decomposed into 

Cii>c3:W -V X^^ - 

^IzKjrW ^ X^2 

^ 13^3 -> X^3 

^2l'^3‘^'^ -> X2^ . 

^22^3'^ ^2 2 • ■ 

^2 3 *^ 3 ^ ^23 ‘ 

The K are constructed as follows. From Section 3.5. 3.3 


X. . = i 

ij 1 


21 


0 if computation i successful at observation j 


1 otherwise 
for i = 1 , 2 

j =1,2,3 

3 ¥ 1 when i = 1 - 

where i = 1 fuel regulation computations 

^ ^ i - 2 autoland computations, and 


Furthermore * from Section 3 ,5 .6, the required processing power 
for each phase broken down by task is given as: 
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Phases 


(Take-off, first 
part of cruise) 


(Second part 
of cruise) 


(Landing) 


Vi 

trt 

E- 


Fuel Regulation} 
Computations 

Autoland 
Computa tions 


2P 

0 


2P 


IP 


Required Processing Power 


P 

2P 


where P is the processing power of one processor. Every state in 

each bottom level model in Section 3.5.6 has associated with it 

the number of processors applied to each task. Hence, given a 

bottom level state, determining whether a particular computational 

task is achieved is mechanical, and so the function is 

i J ^ 

straightforward, namely 


CijKjCw) = 


[0 if w. allocates sufficient 
processing power to task j 
so that j' is achieved 

1 otherwise . 


In addition, it is plain that has an inverse, 


From Section 3. S. 4.1, 


Y'^(a)-r- (<3'^ (x^) ,Xj^,y^) Iy2 (^^y^) = a}. ; - ... ■ 

But X has no basic variables since all variables in x are de- 
composed at the computer hardware level, so X|^ = $, x - x^, and 

"-1 


y" (a) = {(k^" (x) ,y^)| Y2Cx,yp = a} 


In the sections that follow, y is derived for each of the 


bottom models given in Section 3 . 5.6 . 
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-1 


3. '5. 7.1 y for the Dedicated Processor Model 

For the dedicated processor model S^, the interlevel 
translation can be seen to be composed of the following 

1 0 if = <Mj , M2> 




1 otherwise 


^12Kj(w) 


fO if w e [<Mi >M^> * *] 

1 

11 otherwise, 

jO if W 2 e {<M^,M2,M2>, <M^,M2>) 




1 otherwise 


?13K3Cw) - t 


Jo if w e[* {<M^,?i2,M3>, <M^,M2>) *T, 

1^1 otherwise , 

fo if Wj G {< M2»M3»M4>» ^^2^^ 


f 


1 otherwise 


fo if w E [* * {<M 2 ,M 3 ,M 4 >, <M 2 ,M 3 >, <M2,M4>, <M 2 >>] 
|l otherwise , 

^2l'^3^^^ ~ ^ » 

fo if W2 e {<M^,M2,M3>, <M^,M3>, <M2,M3>, <M3>} 

U.K-(w) = { 

^ (1 otherwise 

0 if w € [* {<Mj^,M2,M3>, <Mj,M3>, <M2 ,M3> , <M3> ) ] 

1 otherwise. 

I'd if W 3 e {<M 2 ,M 3 »M 4 >, <M 2 ,M 4 >) - 

1 otherwise 

^Ojifwe [* * <M 2 ,M 3 ,M^>, <M 3 ,M 4 >}] 

1 ' otherwise . 


^2 3 *^3 


From these components, we can now write the inverses , 
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,M,> * *] if X2j^=0 


(^12*^3) ^ ^^12^ ~ ^ 


[[{<Mj>, <M 2 >, * *] if Xjj^=l, 

[* {<Mj^ ,M 2 ,M 2 > , <Mj^,M 2 >} *] if Xj 2''0 
[*^ {<M^,M2>, <M2,M2>, <Mj>, <M 2 >, 

I <M3>, (J) 2 > *] if Xi 2 = ^» 

fl* • {<M 2 ,M 3 ,M^>, <M2,M3>, <M 2 ,M 4 >, 
^^13*^3^ ^*-*13^ ' 1 *)-4f Xjj=0 

[* * ^13~^ 


-1 


(521*^3)*^ (X7i) = [ 


21 - 


* * 


*], 


(^22*^3^ Cx??) “ 


_ J 


22 - 


f [* {<Mj,M 2 ,^f 3 >, <Mj,M 3 >, <M 2 ,M 3 >, 

<M3> }]if ^ 22=0 


i 


,M,>, <M,>, <M^>, if X22=0 


1»"2 


[[*1 *1 {^<M2,M3,M4>, <M3,M4>}] if X23=0 


-1 


(C 23 < 3 ) (X23) = < [* * ^<M 2 ,M 3 >, <M2,M^>, .<M2> 


^^^3^ » '^^4^ » ‘P ^ 


^23'^* 

-1 


Then, using the method of Section 3, 5.4.1, K 3 was found. 
This relation is given in Table 7. Finally, using Table 7 and 
Table 5, y'^ was found. As an example of the procedure utilized: 


Y"^(a 2 ) = { Cks"'^ (x) ,7^)1 Y:(x = ^ 2 ) 


-1 


-1/ 

•^3 ( 

i:ti: \ 


0 0 0 


V::*i 

j_,M 2> <M^,M2> 


X [1 

{<M2,M3,M4>, 


. (‘“"1 , 

<M2,M3>, <M2»M4>, <M2>}] X [1 i]j 


-1 


Table 8 lists y fo^^ 
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Preimeges of of the Dedicated Processor Model 


(a) £ W X 


i{<Mj,M2> <Mj,M. 

,> <M2,M3,M^>J k 

U {{<Mj,H2> 

<Mj,M2> {<M2»«3 

U (C<Mj,M2> 

. i ; . . : 

<Mj,H2> (<M2,M3 

(K<Mj>,<M2>,*j1 

: {<M3,H2,M3>,<Mj,I 

U (1<Mj,H2> 

{<Mj,M3>,<M2,H3> 

U_(J<Mj,M2> 

<Mj,M2> <M3,M^> 

0 (I<Mi,M2> 

<Mj,M 2> {<M3>,<f 

u (1<Mj,M2> 

<Mj,H2> {<M3,m^: 

J<Mj;M2> <Mj,M 

2> T<M2,H3,M4>,< 

(K<«i>,<H2>,*i) 

][<Mj,M2,H3>,<Hj,^ 

U {[<MjrM2> 

{<Mj,M3>,<M2,M3> 

U ([<Mj.,M2> 

<Kj,M2> {<M3,M^: 

(r(<Mj>,<P2>',!%l 

{<Mj,M3>,<H2,M,3> 

:|u(I {<«!> ,<« 

2>,4|j) (<Mj,H2,H. 

U (1<Hj,M2> 

{<H^,M3>,<M2,M3> 

UCt<Mj.M2> 

<Mj,M2> {<M3,M3: 


j, ... :. Table ;.8 

Preimages-of-Y for the^Dedicated Processor Model 


(0 H) 


[1 i]) 


! 

I. 
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3 . 5 . 7 . 2 Y for the Dedicated Group Processor Model 

• The derivation of the Y"induc_ed trajectory sets for the 
dedicated group processor model $2 is similar to the deriva- 
tion in Section 3. 5.7.1 for the dedicated processor model. 
The are as follows: 

[o if w, =2 

- J r 




= I 


1^1 otherwise 

[OofwG [2 * *] 


! 1 otherwise, ’ \ 

[0 if W2 £ {(2,2), (2,1), (2,0)} 

^12*^3 ” 1 1 t, . 

^ i 1 otherwise 

V 

fo i£ W E [* iX2,2), (2,1), (2,0)} •] 


— < 


1^1 Otherwise , 

' ^ ‘ . • ' ' 

[O if Wj e {(2,2), (2,1), (2,0), 

S^3<3(w) = ] (1,2), (1,1), (1,0)} 

[l otherwise 

[o if w e [» • {(2,2), (2,1), (2,0), 

= j I (1,2), (1,1), (1, 

I 

■ ■■ li 


■ 21 '^3 




Otherwise , > 

"O, if W2 e {(2,2), (1,2), (0,2) 

; (2,1), (1,1), (0,in _ 

! 1 otherwise 

fo if w~E [* {(2,2), (1,2), (0,2) 

( 2 , 1 ), ( 1 , 1 ), ( 0 , 1 )} 

1 otherwise , 
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1 


sz ^ 


(o if Wj e {( 2 , 2 ), ( 1 , 2 ), ( 0 , 2 )} 

! 1 otherwise 

fO if w e [* { (2,2) 

/ 

|l otherwise. 

s 

-1 


( 1 , 2 ), ( 0 , 2 )}] 


beloW'* 


-1 


(? 11 < 3 ) 1 


(C 


12’^3- 


if 


The inverses (^.. k_) are as 

i j ' 

f[2 • »] if Xjj-0 

i_[{o,i) * *] ir‘x^^=i, 

^ [* {( 2 , 2 ), ( 2 , 1 ), '( 2 , 0 )} *] 1 

:) (x,,) = 

; [* {( 1 , 2 ), ( 1 , 1 ), ( 1 , 0 ), , 

I ■ 

I. (0,2), (0,1), (0,0)1 *1 if Xi2=l. 

f[» • _{(2,2), (2,1), (2,0), 

(5i3X3)'-‘(Xi 3) = ( (l,2)^(r,l), (1,0)1) if Xjj=0 

[[*■■ * {(0,i2)i, (0,1), .(0,0))) if Xj3=l, 

V = 

21 

f[* {(2,2), (1,2)^ (0^2), 


-1 


-1 


^^2l'^2^ = [* * *1, 


(C„K,)'^(x„) = •; (2,1), (1,1), (0,1) 


'22"3- 


■22 


*1 if >'22'® 


■[* J(2,0), (1,0), (0,0)1 ,*] i£ x22 = l. 




23 


f[* • {(2, 2), (1,2), (0, 

) “ i 

l[* * {(2.1), -(1,1), (0,1), 


if X23=0 


(|, 0 ), ( 1 , 0 ), ( 0 , 0 )}] if X23=l. 


Finally, as in the previous section, < 3 "^ and y ^ for 83 
were found. These are given in Tables respeGtively. 


3. 5.7.3 Y~^ for the Gracefully Degrading Mod el 

The capability function pieimage sets for Sj, the grace- 
fully degrading processor model, are derived in the same manner 
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Y*^{a) c w X Y^. 


(12 ((2,2), (2,1)) {(2,2|, (1,2)}J x f* fj) 

U ((2 {(2,2),(2,1)}" {(2,1),{2,0),(1,1),(1,0)}J x fO <J) 

U ([2 (2,0) {(2,2),(2,1),{2,0),(1,2),(J,1),(J,0)JJ x (0 <)) 


(H0,1) (2,0) {(2,2),(2,1),{2,0),(1,2),(1,1),(1,0)}1 X fO ♦] ) 

U (i2 [(1,2),(1,1),(1,0),(0,2),(0,1),(0,0)) {(2,2),(2,1),(2,0),(1,2),(J,1),(1,0)}1 x (0 ♦)) 

U ((2 {(2,2), (2,1)] 2J X {* *1) 

U (12 {(2,2) , (2,1)} OJ X {0 O) 

U (12 (2,0) {(0,2), (0,1), (0,0)}} X (0 ♦) ) 


{2 (2,0) {(2,2), (2,1), (2,0), (1,2), (1,1), (1,0))} x {1 i] 


({{0,1} (2,0) {(2,2),(2,1),(2,0),(1,2),(1,1),(1,0))} x {1 <}) 

U ((2 {( 1 , 2 ),( 1 , 1 ),( 1 , 0 ),( 0 , 2 ),( 0 , 1 ),( 0 , 0 )} {( 2 , 2 ), ( 2 , 1 ), ( 2 , 0 ), ( 1 , 2 ), ( 1 , 1 ), ( 1 , 0 )}} x (1 <}) 

U ([2 ( 2 , 0 ) {( 0 , 2 ), ( 0 , 1 ), ( 0 , 0 )}} X {1 <)) 


([{0,1} { (1,2) ,(1,1), (1,01, (0,2) , (0,1) , (0,0) } *} x (* fj) 

U ({{0,1} (2,0) { (0,2) , (0,1) , (0,0) }} X [* fj) 

U ([2 {(1,2), (1,1), (1,0), (0,2), (0,1), (0,0)} {(0,2),(0,1),(0,0)}.1 X {* f}) 

U ([2 { (2,2) ,(2,1)} {(1,2),(1,1),(1,0),(0,2),(0,1)>(0,0)}} x {1 <]) 


Table 10 

Preimages of Y for the Dedicated Group Processor Model 
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as the sets for the other two models (Sections 3. S, 7.1-2). 
The are below. 

i0ifwie{4,3,2} 

^ 1 1*^ 3 

^1 otherwise 

^0 if w e [{4,3,2> * *] 

(1 otherwise, 

[0 if w« e { 4 , 3 , 2 } 

^ 1 2*^ 3 ~ ’ 

U otherwise 

'0 if w e [* { 4 , 3 , 2 } *] 

s; / - ' 

[^1 otherwise, 
fO if w^ e ^ 4 , 3 ,1 } 

;1 otherwise 

jo if w e [* * (4,3,1.}] 

I . • 

[1 otherwise, 

s^jKjCw)^ = i ' 

fo If w, e {4,3,1} 

?«.K-(w) 

[1 Otherwise 

fo if w e [* { 4 , 3 , 1 } *] 

= r ■. 

n otherwise , 


[0 if w_€ { 4 , 3 , 2 } 
5^,k,,(w) =< 

(1 otherwise 

[0 if w e [* * {4,3,2}] 

U otherwise . 


-1 


From <2 the component inverses (?jj '^ 3 ) can be derived 
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12 


(^21*^3^ Cx7i) “ [ 


(?22^3^ C^9 7 ) 


21 

22 


-1 


’23'"3- 


■23- 


j [f4. 

3 , 

2} * 

*] if Xjj= 

1 [(0, 

1} 

A 

•] if Xjj=l. 

f(* 

1 

{4 

,3,2} 

*] if 

1 [* 

{0 

,1} 

*] if , 

i [* 

J 

* 

{ 4,3 

,1}] if 

u* 

* 

{ 0,2 

}] if Xj3=l , 


A " 

*3, 


f [* 

j 

{4 

,3,1} 

»] if Xj2= 

U* 

{0 

,2} 

if ’ 

! t* 

A 

{ 4,3 

,2}] if X23= 

; 

A 

{0,1 

}] if X23=l. 


-1 


In Tablesll and 12 are shown the relations and y for 


3.5.8 Perf ormability Evaluation 

Once the y-induced trajectory sets of a computer system 
over a mission have been determined, the computer's performa- 
bility is obtained by calculating the probability of each of the 


traj ectory sets . That is, 

PgCa) = PrCy"^(a)). : 

This section describes how these probabilities were deter- 

mined for the example mission under discussion. In particular, 

■ ' ■ ■ ' ' ^ ■ j i 

Section 3 . 5 . 8.1 examines METAPHOR, a software package we arej 

currently developing to aid in performability evaluation. ' META- 


PHOR was used to determine the performability of each computer r 

S 2 , and Sj under several sets of conditions. These conditions 
involve the failure rate of the computer modules, the length of : 
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0 0 0 
H 0 Q 

0 0 0 
(« 0 1 

0 0 0 ^ 
9^ 1 * 

1 0 0 

^ * 

0 1 o' 

0 * * 

0 0 1 
fi 0 Q 

'O 0 l" 
?( 0 1 

'o 0 l' 

1 * 

1 1 *' 
0 * * 

'l 0 l" 

/ * *. 

'o 1 l" 
0 * * 

'0 0 * 
0 0 1 


c w‘ 


[4,3,2] (4,3) {4,,3)1 


{4,3,2} (4,3) 1) 


f{4,3,2{ 2 {4,3,1}) 


[{0,1} {4,3,2} {4,3,1}) 


[{4,3,2} {0,1) {4,3,1}) 


({4,3,2} {4,3} 2] 


[[4,3,2} {4,3} 0) 


({4,3,2} 2 {0,2}] 


({ 0 , 1 ) { 0 , 1 } *1 


[{0,1} {4,3,2} {0,2}) 


{{4,3,2} {0,1} {0,2}} 


[{4,3,2} {4,3} {0,1}] 


Table 11 [ 

Pteiir.ages of ^3 Of the Gracefully Degrading 
Processor Model 



Table 12 


Preiniages of y the Gracefully Degrading Processor Model 
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mission, and the probability o£ Category III weather at the 
destination. Section 3. 5. 8. 2 gives the results o£ these calcu- 
lations. 

3. 5, 8.1. METAPHOR 

To aid in the evaluation and analysis o£ perTormability , 
we are developing a software package called METAPHOR (Michigan 
Evaluation Aid £or Perp horm ability } . Ive envision METAPHOR 

ultimately as a tool to be used at all stages o£ per£ormability , 

1 .. J 

analysis , £rom the de£inition o£ model levels and interlevel trans 
lations to the determination o£ Y~induced trajectory sets to the 
evaluation o£ the probability o£ those sets. At present, only 
the last £unction has been implemented. 

Because o£ the design nature o£ constructing the model 
hierarchy, we believe METAPHOR must be an interactive £acility. 
Hence we are incorporating into METAPHOR a command language which 

p-— 1 , i i 

will enable the user to call desired functions, enter data] dis- 
play results, and seek help or explanations of any function. 

Among the commands already implemented for computing the proba- 
bility of a trajectory set are the following: 

DATA asks the user which input data he would 

like to see and then displays it ' 

ALTER asks the user which input data he would 

like to alter and then performs the alteration 

' ■ • ' 

HELP when typed in response to a question, 

METAPHOR replies with an explanation of 
the question 

CALC allows the user to utilize the APL calculator 
mode 

END exits METAPHOR. 
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At present, METAPHOR defaults to calculating the proba- 
bility of trajectory sets. The user is queried for the number 
of phases in the bottom model and the number of states in each 
phase. Then the program asks for the transition matrix P of 
each phase as well as the interphase transition matrix H between 
each phase. (See Section 3.4.3 .) METAPHOR is capable of gen- 
erating several classes of P matrices corresponding to various 
classes of Markov models. The user need supply only the! model 
type, the failure rate of each module involved, and the length 
of each phase. Alternatively, the user can enter the P matrices 
directly. Currently, the H matrices must be entered directly. 

Next, METAPHOR requests the number of basic variables as 
well as their probabilities. At present, METAPHOR can handle 
only a string of base variables each of which consists of 
a single obserbation. The user is then asked the number of 
accomplishment levels, and for each accomplishment level, the 
user must input the number of array products used to describe 
the corresponding trajectory set (a). The trajectory set$ must 
be disjoint; likewise, the array products must also be disjoint. 

Finally, for each trajectory product array, the user must 
supply the initial state vector I(o) , the characteristic matrix G 
for each phase , the characteristic vector F, and the basic variable 
values. METAPHOR then calculates the probability of achieving 
each trajectory product array V using the relation 

Tk-i “I 


PrCV) = 1(0) 


IT P(i)G(i)H(i) 


PCk)FClc) 
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where k is the number of phases and the product operation is 
matrix multiplication. (See Section 3,4.3 . ) The effect, of the 
r.on-bottom level basic variables and their. associated probabilities 
are also taken into account by HETAi’HOR, 

: i i ' ■ ; 

Throughout METAPHOR, extensive error checking is provided on 
all inputs, to insure both proper data types (e.g., numeric vs . 
character, or scalpr v|, vector) as well as logical consistency 
(e . g. , probabilities Slimming to one). If an; error does occur, 
the user is prompted and the question is asked again. 

For this preliminary study of METAPHOR, the language APL[ 16] 
was chosen for the prototype program because of its compactness i 
and array handling aiilitieis. Once the feasability of the pro* 
gram has been demonstrated, however, translating the package 
int|D a faster and more portable language such as FORTRAN 
may be desired. At present^, METAPHOR contains , approximately 
fifty APL functions and about 700 lines of code,; Also, internal 
documentation is generous. External documentation, on the other 
hand, is not as thoroughly developed,. Because of this and be- 
cause METAPHOR is still in an early developmental state, we do 
not include a listing qf the package in this report. Figure 13 
shows the output for a run evaluating the perfOrmability of 
the gracefully degrading computer S^. The next section discusses 
the input in more detail. During the next reporting period, 
intend to continue our efforts in developing METAPHOR. 

3. 5,8,2 Performability Results 

Using both the performability models constructed earlier in 
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METAPHOR 
VERSION 1 
11/77 


NUMBER OF PHASES? 

D : 3 

NUMBER OF STATES PER PHASE? (SPACE BETWEEN EACH NUMBER) 
D: 5 5 5 ^ 


SPECIF? THE P MATRICES FOR EACH PHASE, 1 PHASE AT A TIME 

PHASE 1; . 

WHAT TYPE: OF P MATRIX? 

□ : 2 ' 

ENTER PHASE LENGTH 

D: 2.5 

ENTER COMPONENT FAILURE RATE 

□; 0. 0001 

ENTER NUMBER OF GROUPS 

0 ; 1 

ENTER NUMBER OF COMPONENTS PER GROUP {SPACE BETWEEN EACH NUMBER): 

□ : 4 

PHASE 2: 

WHAT TYPE OF P MATRIX? 

D: : 2 . 

ENTER PHASEl LENGTH 

□ : . . 2.5 ■ 

ENTER COMPONENT FAILURE RATE 

□: 0.0001 

ENTER NUMBER OF GROUPS 

□ 1 ' ■■■ 

ENTER NUMBER OF COMPONENTS PER GROUP (SPACE BETWEEN EACH NUMBER ) ; 
D;;. 4 ■ 

PHASE JZJ:' 7 -■ / 7 ; r 

WHAT TYPE OF P MATEW 
□ ; 2 

ENTER PHASE LENGTH 

□ :■■■ 2. . 5 . - ^ 

ENTER COMPONENT FAILURE RATE 

D: 0.0001 


FIGURE 12 

SAMPLE SESSION WITH METAPHOR 
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ENTER NUMBER OF GROUPS 

D: 1 

ENTER NUMBER OF COMPONENTS PER GROUP {SPACE BETNEEN EACH NUMBER)'. 
D : 4 

ENTER THE H MATRICES FOR EACH PHASE ^ 1 PHASE AT A TIME 



0 0 
0 0 
1 0 
0 1 
0 0 



PHASE 2: 

I 

ROW 1 : 

□; 1 00 : 0 0 

ROW 2: 

□ ; 0 1 0 0 0 

ROW 3 ; 

□ : 0 0 1 0 0 

ROW 4; 

D: 0 0 0 1 0 

ROW h: 

□ : 0 0 0 0 1 


NUMBER OF CONSTANT BASIC VARIABLES? 

□ : : 1 

PROBABIEITIES OF EACH CONSTANT VARIABLE? {SPACE BETWEEN EACH NUMBER) 
□: 0.0019 

NUMBER OF ACCOMPLISHMENT LEVELS? 

□ : 5 

ACCOMPLISHMENT LEV 

NUMBER OF TRAJECTORY SETS FOR THIS ACCOMPLISHMENT LEVEL? . 

3 ' ^ ^ 

TRAJECTORY SET 1 , _ 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY) i 
U: X 0 0 0 0 . 

PHASE 1: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY) x 


FIGURE XS ICO NT) 


SAMPLE SESSION WITH METAPHOR 
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D: 1 1 1 0 0 

PHASE 2: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

□ : 1 1 0 0 0 ■ 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY): 

D: 1 1 0 0 0 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY) : 
□ : 2 

TRAJECTORY SET 2 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY): 

□ : 1 0 0 0 0 

PHASE 1: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

□ ; 11 1 0 0 

PHASE 2: 

ENTER THE G_ DIAGONAL {SPACE BETWEEN EACH ENTRY): 

□ : 1 1 0 0 0 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY) : 

□ : 0 0 0 1 0 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY): 
□ : 0 

TRAJECTORY SET 3 

ENTtR THE I VECTOR {SPACE BETWEEN EACH ENTRY): 

0:100*00 

PHASE 1: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

□; 1 1 1 0 0 

PHASE 2: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

□ : 0 0 1 0 0 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY) : 

0:110 1 0 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY ) : 
0 : 0 ... 


ACCOMPLISHMENT LEVEL 1 

NUMBER OF TRAJECTORY SETS FOR THIS ACCOMPLISHMENT LEVEL? 
D: 5 . ' 

TRAJECTORY SET 1 

ENTSR. THE I VECTOR {SPACE BETWEEN EACH ENTRY): 

D: I Ir 0 0 0 0 

PHisS 1 ;. 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRI^t^ 

O:--.0 0 o' 1 1 . . 

PHASE 2; 


ENTERi THE 


0 : 1 1 
ENTER THE 
D: 11 


G DIAGONAL {SPACE BETWEEN EACH ENTRY) : 
1 0 0 

F VECTOR {SPACE BETWEEN EACH ENTRY) : 

0 10 


ENTER THE BASIC VARIABLE VECTOR (SPACE BETWEEN EACH ENTRY): 


FIGURE 13 {CONT) 
SAMPLE SESSION WITH METAPHOR 
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□ : 0 

TRAJECTORY SET 2 

ENTER THE I VECTOR {SPACE BETyEEN EACH ENTRY): 

0 : 1 0 0 0 0 

PHASE 1 : 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 
0:11100 
PHASE 2: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): j 
0:0 0 0 1 1 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY): 

D: 1 1 0 1 0 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY): 
0: 0 

TRAJECTORY SET 3 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY): 

D; 1 0 0 0 . 0 

PHASE 1: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY) : J 

0:11100 
PHASE 2; 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): ' 

0 : 1 1 0 0 0 - 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY): 

0: 0 0 1 0 0 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY): 
D: 2 

TRAJECTORY SET k 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY): 

0 : 1 0 0 0 0 

PHASE 1: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY)': - 

□ : 1 I 1 . 1 0 0 , , 

PHASE 2: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY) : 

D: 11 00 0 ^ 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY) : r 

0: 0 0 0 0 1 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY) : 
0: - '0 ^ 

TRAJECTORY '^SET 5 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY): 

D: i 0 0 0 0 

PHASE 1 : 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

D: 1 1 1 0 0 

PHASE 2: ^ ... . 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY) : 

□: 0 0 1 0 0 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY) : 

D: 0 0 1 0 1 


FIGURE 13 {CONT) 
SAMPLE SESSION WITH METAPHOR 
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ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEH EACH ENTRY): 
□ : 0 

ACCOMPLISHMENT LEVEL 2 

NUMBER OF TRAJECTORY SETS FOR THIS ACCOMPLISHMENT LEVEL? 

D : 1 

TRAJECTORY SET 1 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY): 

□; 1 0 00 0 - 

PHASE 1: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

□ ; 1 1 10 0 ( , 

PHASE 2: , 

ENTER THE GDI AGONAL {SPACE BETWEEN E ACT ENTRY) : 

0: 0 0 1 0 0 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY): 

D: 1 1 0 1 0 

ENTER THE BASIC VARIABLE VECTOR .{SPACE BETWEEN EACH ENTRY): 
0:1 

ACCOMPLISHMENT LEVEL 3 

NUMBER OF TRAJECTORY SETS FOR THIS ACCOMPLISHMENT LEVEL? 

0: 3 

TRAJECTORY SET 1 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY): 

0: 10000 • ' 

PHASE 1 : ! 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

0: 0 0 0 1 1 

PHASE 2: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY) :. 

0; 111 rO 0 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY) : 

0:1 10 10 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY): 
0 : . 1 

TRAJECTORY SET 2 

ENTER THE I VECTOR tSPACE BETWEEN EACH ENTRY) : 

0; 1 0 0 0 0 

PHASE 1; 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

0:" .1 1 1. 0 . 0 . , ^ 

PHASE 2: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

0:1= 0 0 0 1 1 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY): 

□ 1 1 0 1 0: 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY): 
0:1 : ■ 

TRAJECTORY SET 3 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY): 


FIGURE 13 {CO NT) 
SAMPLE SESSION WITH METAPHOR 
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□ : 1 0 0 0 0 
PHASE 1: . 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY)'. 
D: ' 1 1 :1 0 0 

PHASE 2: : 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 


ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY): 

0 ; 0 0 1 01 

ENTER THE BASIC VARIABLE VECTOR (SPACE BETWEEN EACH ENTRY): 


ACCOMPLISHMENT LEVEL 4 

NUMBER OF TRAJECTORY SETS FOR THIS ACCOMPLISHMENT LEVEL? 

□ : 4 

TRAJECTORY SET 1 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY) : 

0:10000 

PHASE 1 : 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY) 

□ : 0 0 0 1 1 

PHASE 2: : I 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

□ : 0 0 0 1 1 

ENTER THE F VECTOR t SPACE BETWEEN EACH ENTRY): 

□ : 1 1 1 - 11 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY) : 

^ 2 I ‘ 

TRAJECTORY SET 2 i 

ENTER THE I VECTOR-iSPACE BETWEEN EACH ENTRY): 

□: 1 0 0 0 0 ’ 

PHASE 1: l;: ! y 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH. ENTRY) 

□ 0 0 0 1 1 - 

PHASE 2: 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): • 

0:11100 

ENTER THE F VECTOR {SPACE BETWEEN EACH ENTRY): 

D: 00101 ' ! 

ENTER THE BASIC VARIABLE VECTOR {SPACE BETWEEN EACH ENTRY): 
D:- 2 ■ 

TRAJECTORY SET 3 

ENTER THE I VECTOR {SPACE BETWEEN EACH ENTRY): ' 

D: 1 0 0 0 0 ‘ 

PHASE 1; 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 
0:11100 
PHASE 2: . 

ENTER THE G DIAGONAL {SPACE BETWEEN EACH ENTRY): 

D: 0, 0 0 1 1 

ENTER THE F VECTOR (SPACE BETWEEN EACH ENTRY): 


I FIGURE 


13 (CONT) 


SAMPLE SESSION WITH METAPHOR 
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D: 0 0 1 0 : 1 i 

ENTER THE BASIC V ART ABLE VECTOR (SPACE BETWEEN, EACH ENTRY): 

□ s. 2 ■ ■ ■ i i 

TRAJECTORY SET 4 i i 

ENTER THE I VECTOR (SPACE BETWEEN EACH ENTiY): 

D : 10 ' 0 0 0 

PHASE 1: I I 

ENTER THE G DIAGONAL (SPACE BETWEEN EACH ENTRY): 

D: jl 1 1 10 0 

PHASE 2: 

ENTER THE G DIAGONAL (SPACE BETWEEN EACH ENTRY): 

D: ;i ^ 1 0 0 0 ^ 

ENTER THE F VECTOR (SPACE BETWEEN EACH ENTRY): 

0: 0 0 0 1 1 

ENTER THE BASIC VARIABLE VECTOR (SPACE BETWEEN EACH ENTRY): 
D: 1 " 


PERFORMABILITY FOR THIS MISSION = 0.9999966309 1 . 87325705l£*'6 

7 .471727544ff"l0 1 . 494594808^’ 6 4 . 98 3 1 6 026 9E’* 1 0 

END 


FIGURE 13 (CONT) 
SAMPLE SESSION WITH METAPHOR 
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this section as well as METAPHOR, the performabilities of , S 2 , 
and Sj in several environments were determined; The environments 
and performability results are described below. ' 

Two user environments were considered. The first was a mod- 
erately long flight of 5.5 hours from Washington, D.G. to Lbs 
Angeles, dalifornia, while the second was a short flight of 1.0 
hour from Washington, D.C. to the J.F. Kennedy Airport in New York. 
The probability of Category III weather in Los Angeles was assumed 
to be 0.01|9,; and for New York, it was assumed to be 0.011. (These 
probabilities are from Table 16 of [17].) In addition, it was 
supposed that three types of processor modules were available 
with failure rates of 0.001, 0.0001, and 0.00001 failures/hour 
respectively, but identical in all other . regards . (Of course a 
different cost will be associated with each type of module, the 
least reliable one being the cheapest.) ' 


For the Los Angeles flight, phase 1 is 2.5 hours, phase 2 is 
2.5 hours, and phase 3 is 0.5 hours. The New York flight has 
corresponding phase lengths of 1/3, 1/3, and 1/3 hours. ,The 
landing phase of the New York flight is shorter because we assume 
the New York plane flies at a lower altitude than the Los Angeles- 
plane due to the shorter trip. ^ 

Figure 13 shows a sample session with METAPHOR used to deter- 
mine the performability in_ the Los Angeles flight environment of 
Sj having modules with a failure rate of 0.001 failures/hour. In 
the session, the analyst first tells METAPHOR that there are 3 
phases in the mission with 5 states in each phase. In phase 1, 
the P matrix is of type 2 . This is one of the types of P matrices 
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which metaphor will automatically generate if the proper para- 
meters are input. Type 2 signifies a system with m groups of n 
components each. Every group has a transition diagram of the 
form 



nX 

V 


n -10 

i 


t 

t 

[.. 

(n-l)X 

n -26 


\ 

(n-2)X 


. 1^6 : ■ ■ 

where the state name is the number of surviving components in 
the group. For S^, there is 1 group with 4 processors. The failure 
rate of the processors is input as 0.0001 failures/hour while the 
phase length (for phase 1) is given to be 2.5 hours. Similar 
information is presented to METAPHOR for phases 2 and 3. 

Next, the analyst informs METAPHOR that the H matrices are 
the 5x5 identity matrices, that the single non-bottom level 
basic variable is constant and has probability 0.019, and that 5 
accomplishment levels are to be evaluated. For accomplishment - 
level 0 , metaphor; is told that there a trajectory sets, and 
the analyst inputs ^ach set by first entering the I vector, then 
the main diagonal of the characteristic (G) matrix for phases 1 
and 2, the characteristic (F) vector, and the condition of the 
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weather variable. 0 means non-Category III weather, 

1 denotes Category III weather, and 2 signifies either 
0 or 1 (i.e., a "don't care"). METAPHOR calculates the perform- 
ability "on the fly", i.e., METAPHOR does the necessary calcula- 
tions on the data as it is input and then discards the data it 
will no longer require. Once the analyst has completed entering 
all the trajectory sets for each accomplishment level, METAPHOR 
prints the performability . 

METAPHOR was used to evaluate the three models S^, $ 2 , and 
Sj for each of the failure rates in both user environments. The 
results of these computations are in Table 13. Employing bar 
graphs, Figure 14 compares the performability of each processor 
and environment vis-a-vis the processor module failure rate. 

Because of the wide range in magnitude of. the probabilities, a 
logarithmic axis was used. For accomplishment levels a^ through 
a^, the axis is labeled in increments of lO"^, while for a^, the 
axis is labeled in terms of "n 9's." This phrase denotes 1 - 10~^; 
for example, 5 9's = 0,9999 3 9's = 0>999. 

As is to be expected, the gracefully degrading processor 
model, Sj, has a higher probability of accomplishlftg a^ an lower 
probabilities of achieving a^ through a^ than <>t^ier two pro- 
cessor models. Consider however the interesting^ results regarding 
Sj I and S 2 . In particular, note that the probability of a crash, 
a^ , is greater for the dedicated group processor model , whilt 
the values for a^ are the same. This out'^ome is somewhat surprising 
since S^lhas some form of reconfiguration and so seemingly should 
be more reliable. However, examination of the entire performability 
spectrum reveals the reasons for this discrepancy. Note that for 



Mission 

Enviornment 

Computer 

Model 

Module 

Failure 

Rate 

(failures 
per hour) 

Accomplishment Levels 

■ 

“2 

■ 


^3 







0.001 

0.997 

3.4 

X 

10"^ 

6.6 

X 

10"^ 

3.3 

X 

10"^ 

1.7 

X 

10"^ 



0.0001 

0.9997 

3.4 

X 

10“^ 

6.6 

X 

10"^ 

3.3 

X 

10"8 

1.7 

X 

IQ -^ 



0.00001 

0.99997 

3.4 

X 

10-« 

6.6 

X 

10-8 

3.3 

X 

10-8 

<1.7 

X 

10*8 



0.001 

0.997 

7.4 

X 

10-« 

4.4 

X 

10’’ 

6.6 

X 

10“^ 

2.6 

X 

lO'l 

Washington, Dv 
















to 

s. 

0.0001 

0.9997 

7.3 

X 

10 * 

4.4 

X 

10 ^ 

6.6 

X 

10 ^ 

2.6 

X 

10 ’ 

New yock (JFK) 


0.00001 

0.99997 

7.3 

X 

10-8 

4.4 

X 

10-11 

6.6 

X 

10-8 

2.5 

X 

10-8 

B - O.Oli 


















0.001 

0.999994 

3.4 

X 

10-8 

1.8 

X 

10-8 

2.6 

X 

10-8 

1.2 

X 

10"8 


«3 

0.0001 

0.99999994 

3.4 

X 

10-8 

1.8 

X 

10-12 

2.6 

X 

10-8 

1.2 

X 

10-12 



0.00001 

0.9999999994 

3.4 

X 

10-^8 

1.8 

X 

10-18 

2.6 

X 

10-18 

1.2 

X 

10-18 



0.001 

0.98 

5.4 

X 

10 "^ 

1.8 

X 

10-1 

2.4 

X 

10*1 

8.4 

X 

10“1 



0.0001 

0.998 

5.5 

X 

10 "® 

4.9 

X 

10 -* 

2.5 

X 

10 *^ 

8.5 

X 

10 “^ 



0.00001 

0.9998 

5,5 

X 

10-8 

4.9 

X 

10~8 

2.5 

X 

10~8 

8.5 

X 

10"8 



0.001 

0.98 

9.4 

X 

10 "^ 

i .2 

X 

10 " 8 

4.9 

X 

lo'i 

1.3 

X 

10"2 

Hashington, D. C. 
















to 

s. 

0.0001 

0.998 

9.5 

X 

10 “ 

1.2 

X 

10 ' 

4.9 

X 

10 ’ 

1.2 

X 

10 ^ 

Los Angeles 
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0.00001 

0.9998 

9.5 

X 

10 ' 

1.2 

X 

10 ^ 

4.9 

X 

10 ^ 

1.3 

X 

10 ’ 

B “ 0.019 


















0.001 

0.9998 

3.4 

X 

10 "^ 

1.4 

X 

10-2 

1.5 

X 

10 "^ 

7.8 

X 

10-8 


®3’ 

0.0001 

0.999998 

3.4 

X 

10 “^ 

1.5 

X 

10-18 

3.5 

X 

10-8 

7.8 

X 

io-^\ 



0.00001 

0.99999998 

3.4 

X 

10"8 

1.5 

X 

lo'i^ 

1,5 

X 

10-8 

7.8 

X 

10 - 1 ^ 


Table 13 


Performabllity for Sj , S2> and S^. Modules 
have three failure rates, and two mission cnviornments are considered 
B =■ Pr(Category III weather at initiation of lariclinq). 
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Performability for the Example of Section 3»5 


Processor Module Failure Rate = 0.001 failures/hour 
Washington, B. C. to New York Mission 
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X- 1 

1 
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Figure cent.) 

Performability for the Example of Section 3.5. 

b) Processor Module Failure Rate = 0.0001 failures/hour 
Washington, D. C. to New York Mission 




Figure 14 cont.) 


PerfoEinability for the Example of Section 3,5. 

c) Processor Module Failure Rate = 0.00001 failures/hour 
Washington, D. C. to New York Mission 




a. 


a_ 

-< 




Figure cent. ) 

Performability for the Example of Section 3-5. 


e) Processor Module Failtire Rate = 0.0001 failures/hour 
Washington, D. C. to Los Angles Mission 








®0 — *1 ®2 *3 *4 


Figure 14 cent.) 

Performability for the Example of Section 3.5. 

f) ProceEsor Nodule Failure Pate = 0.00001 failures/hour 
Washington, D. C. to Los Angles Mission 
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S 2 » the probability of the high fuel consumption achievement, a^, 
is about an order of magnitude lower than for similarly, the 
probability of the diversion achievement is usually several orders 
of magnitude lower. Thus, the reconfiguration and diversion 
policies associated with S 2 have decreased the chances of either 
diverting or hdving poor fuel consumption, but have done so at 
the expense of increasing the probability of crashing. If a 
suitable worth function Wg(see Section 3,1 .1 ) were provided, the 
worth of each system in each environment could be calculated. 

Within the example given in this section we can ^p^^^ see 


the advantages of performability analysis over traditional reliability 
analysis. Reliability results indicate the probability of "success” 
or "failure" with respect to some set of. success criteria, but do 
not as succinctly reflect the performance of the system. For 
example, a traditional reliability analysis of the mission in this 
section might have determined the probability_that 2 of the 4 


processors were still working at the end of the mission. Using 
more sophisticated methods such as the phasing techniques of 
Esary and Ziehms [8] would have improved the reliability analysis. 
However, the performability analysis demonstrated inthis^ s 
can accomodate even more general relations between state behavior 
and performance than those treated by traditional phasing techniques. 
In particular, the analysis -is able to treat levels, of'sys^ 
performance which cannot be formulated in terms qf per-phase structure 


functions or per-phase sets of "success states." | I 

For instance, consider Sj and suppose' phasa 3 has state 4 
and the weather is not Category III. Then from Table 12, the 
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relation between the states of phases 1 and 2 and the associated 
accomplishment levels can be determined: 



^2 

accomplishment 

level 

{0,1} 

1 

{4,3,2} 


{4,3,2} 

{0,1} 

*1 

{4,3,2} 

{4,3,2} 

^0 

{0,1} 

{0,1} 

"4 


Thus, if q 2 e {4,3,2} then the "success states" for a^^ caniiotJ 
include e {0,1}. Similarly, if q^ e {4,3,2} then for a^, 
q 2 e {0,1}. In other words, the "success states" for phases 1 
and 2 are influenced by one another. In fact, they are R-dependent 
where R is y'^Ca^}. (See Section 3.3.2.) . , 

During the next reporting period, we plan to study further 
examples of performability analysis. 
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